CRYSTALX RAT is described as a new MaaS malware that combines spyware, data theft and remote access, promoted in a March 2026 Telegram campaign with three subscription tiers. First seen in January 2026 as Webcrystal RAT, it has since been rebranded and marketed with features including RAT capabilities, data theft, keylogging, clipping, spyware and prank functions, as noted by Kaspersky.
The campaign uses a control panel with an auto-builder that lets attackers tailor features such as geoblocking, anti-analysis tools, and file appearance, while payloads are compressed with zlib and encrypted using ChaCha20.
It establishes a connection to a hard-coded C2 URL over WebSocket, collects system information, and then runs a stealer function that can extract credentials from Steam, Discord and Telegram and gather data from Chromium-based browsers via the ChromeElevator utility, with stolen data sent to the C2.
Although the stealer feature is currently disabled for updates, the malware provides full remote access to run commands, manage files, control the screen via VNC, and capture audio and video, with additional prankware under a “Rofl” section to annoy victims. The initial infection vector remains unclear, but dozens of victims have been affected primarily in Russia, and researchers warn the MaaS has no geographic limits and could spread globally as development continues.
According to the report by Kaspersky, CrystalX RAT represents a highly functional MaaS platform that is not limited to espionage but includes spyware, keylogging, remote control, and unique stealer and prankware features.