CrystalX is a new malware-as-a-service promoted on Telegram and YouTube that offers remote access, data theft, keylogging, clipboard hijacking, and a variety of prankware features. Kaspersky links CrystalX to WebRAT (Salat Stealer) and describes a Go-based builder, user-friendly control panel, zlib-compressed ChaCha20-encrypted payloads, WebSocket C2, browser and app infostealers, remote VNC control, audio/video capture, and real-time keylogging. #CrystalX #WebRAT
Keypoints
- CrystalX is a malware-as-a-service launched in January and promoted on Telegram and YouTube with a tiered subscription model.
- Kaspersky finds strong similarities to WebRAT (Salat Stealer), including panel design, Go-based code, and a bot-based sales system.
- The MaaS provides a user-friendly control panel and automated builder with customization, geoblocking, anti-analysis protections, and ChaCha20-encrypted, zlib-compressed payloads.
- Modules include an infostealer targeting Chromium-based browsers and apps like Steam, Discord, and Telegram, plus remote access, VNC control, audio/video capture, real-time keylogging, and a clipboard clipper.
- Distinctive prankware features (wallpaper changes, input disabling, fake notifications, and more) may attract low-skilled actors or distract victims while data theft runs.