CrystalRAT Telegram-promoted malware-as-a-service
Malware Activity
Summary
Hide ▲
Show ▼
The CrystalRAT malware-as-a-service is being promoted on Telegram and YouTube with remote access, data theft, keylogging, and clipboard hijacking, increasing the risk of credential and wallet theft on infected systems. The offer uses a tiered subscription model and adds prankware features that can distract victims while theft modules operate. It also includes a control panel and automated builder that make deployment and customization easier for operators.
Related Happenings
Discord defaults voice and video calls to end-to-end encryption
Security Tool/Service
H score58
First: 19.05.2026 23:37
Last: 19.05.2026 23:37
Sources 1
About this happening:
**Discord** has made **end-to-end encryption (E2EE)** the default for **voice and video calls**, strengthening privacy across a widely used communications platform. The rollout wa...
Discord defaults voice and video calls to end-to-end encryption
Security Tool/ServiceAbout this happening: **Discord** has made **end-to-end encryption (E2EE)** the default for **voice and video calls**, strengthening privacy across a widely used communications platform. The rollout wa...
Gremlin stealer modular toolkit evolution
Malware Activity
H score21
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
REMUS underground ecosystem shift changes threat-actor operations
Threat Actor Meta
H score6
First: 15.05.2026 17:02
Last: 15.05.2026 17:02
Sources 1
About this happening:
The **REMUS underground operation** is turning **REMUS** into a continuously updated **MaaS** product, increasing **operational scalability** and monetization risk across undergro...
REMUS underground ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: The **REMUS underground operation** is turning **REMUS** into a continuously updated **MaaS** product, increasing **operational scalability** and monetization risk across undergro...
REMUS infostealer browser-session and password-manager collection expansion
Malware Activity
H score21
First: 15.05.2026 17:02
Last: 15.05.2026 17:02
Sources 1
About this happening:
**REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
REMUS infostealer browser-session and password-manager collection expansion
Malware ActivityAbout this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
Bluekit alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score25
First: 30.04.2026 21:58
Last: 30.04.2026 21:58
Sources 1
About this happening:
Bluekit's **AI-assisted** phishing kit has expanded into an **all-in-one** service, lowering the barrier for cybercriminal operators and signaling a more industrialized phishing m...
Bluekit alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: Bluekit's **AI-assisted** phishing kit has expanded into an **all-in-one** service, lowering the barrier for cybercriminal operators and signaling a more industrialized phishing m...
Latest development: 25.06.2026 18:00
Bluekit phishing-as-a-service added browser-in-the-middle (BitM) login theft and nearly 70 new hostnames over the past week. Netcraft said the kit now uses the open-source JavaScript library rrweb to serialize the page DOM and stream it over a WebSocket connection, while the live 5-second monitoring system and victim qualification checks remain in use.
Timeline
-
02.04.2026 02:17 2 articles · 3mo ago
CrystalRAT Telegram-promoted malware-as-a-service
Initial DisclosureIn **January**, **CrystalRAT** appeared as a **tiered subscription** service and began being marketed on **Telegram**. The early offer centered on selling remote access and data-theft functions as a subscription product.
Show sources
- New CrystalRAT malware adds RAT, stealer and prankware features — www.bleepingcomputer.com — 02.04.2026 02:17
- New CrystalRAT malware adds RAT, stealer and prankware features — www.bleepingcomputer.com — 02.04.2026 02:17