KASPERSKY’S Securelist reports that CrystalX RAT, promoted in March 2026 as a malware-as-a-service with three subscription tiers, combines spyware, stealer, keylogger, clipper and prankware capabilities in a single platform. The operator’s private Telegram channels and a busy YouTube channel are used to market the Webcrystal RAT, which researchers note is a rebranded, Go‑written successor to WebRAT (Salat Stealer).
The panel offers an auto-builder for configurations, with payloads compressed by zlib and encrypted with ChaCha20 using a hard‑coded 32‑byte key and a 12‑byte nonce. Stealer functionality extracts credentials for Steam, Discord and Telegram, and browsers based on Chromium using ChromeElevator, with data exfiltrated to a hard‑coded C2 URL over WebSocket.
The malware also includes a large remote‑access toolset, a VNC‑like viewer and microphone and camera capture, while the “Rofl” section introduces prank commands such as setting a background image, rotating the display and remapping mouse buttons. Kaspersky notes that while OSINT shows dozens of victims and initial infections in Russia, the MaaS has no regional restrictions and new implant versions are being developed.