Full Report
A new malware-as-a-service called CrystalRAT is being promoted on Telegram, offering remote access, data theft, keylogging, and clipboard hijacking capabilities. [...]
Analysis Summary
# Tool/Technique: CrystalRAT (also known as CrystalX)
## Overview
CrystalRAT is a high-capability Malware-as-a-Service (MaaS) written in Go, promoted primarily through Telegram and YouTube. It functions as a hybrid Remote Access Trojan (RAT), InfoStealer, and "Prankware." It utilizes a tiered subscription model and provides an automated builder tool for its customers. The malware bears significant similarities to WebRAT (Salat Stealer), sharing code structures and panel designs.
## Technical Details
- **Type:** Malware Family (RAT / InfoStealer)
- **Platform:** Windows
- **Capabilities:** Remote Access, Data Exfiltration, Keystroke Logging, Clipboard Hijacking, Surveillance (Audio/Video), and System Manipulation.
- **First Seen:** January 2026 (approx.)
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- **TA0005 - Defense Evasion**
- T1027 - Obfuscation: payloads encrypted with ChaCha20 and zlib-compressed.
- T1497.001 - Virtualization/Sandbox Evasion: System Checks.
- T1562.001 - Impair Defenses: Disable Tools (Task Manager, CMD).
- **TA0006 - Credential Access**
- T1555.003 - Credentials from Web Browsers.
- T1056.001 - Input Capture: Keylogging.
- **TA0007 - Discovery**
- T1082 - System Information Discovery.
- **TA0009 - Collection**
- T1113 - Screen Capture.
- T1123 - Audio Capture.
- T1115 - Clipboard Modification.
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: WebSockets.
## Functionality
### Core Capabilities
- **Remote Access:** Integrated VNC for real-time control and file system browsing (upload/download).
- **Information Stealing:** Targeted theft from Chromium browsers (Chrome, Yandex, Opera), Steam, Discord, and Telegram.
- **Keylogger:** Real-time streaming of keystrokes to the C2 server.
- **Clipper:** Uses regular expressions to monitor the clipboard for cryptocurrency wallet addresses and swap them with attacker-controlled addresses.
### Advanced Features
- **Anti-Analysis:** Built-in checks for Virtual Machines (VMs), debuggers, and proxies; geoblocking to restrict infections to specific regions.
- **ChromeElevator:** Specialized tool used for privilege escalation or data extraction within Chromium browsers.
- **Prankware Module:** Extensive features to harass victims, including remapping mouse buttons, flipping screen orientation, hiding the Taskbar/icons, and opening forced chat windows.
## Indicators of Compromise
- **File Hashes:** [See Kaspersky/Securelist report for specific SHA256 hashes]
- **File Names:** `CrystalX.exe`, `ChromeElevator.exe`
- **Registry Keys:** Typically located in `Software\Microsoft\Windows\CurrentVersion\Run` for persistence.
- **Network Indicators:**
- C2 Communication via WebSockets (`ws://` or `wss://`)
- [Defanged C2 Domains/IPs]: `example[.]com`, `crystalrat-panel[.]top` (Search for specific active nodes in current intel feeds).
- **Behavioral Indicators:**
- Use of `ChaCha20` encryption libraries in Go-compiled binaries.
- Spawning `cmd.exe` or `powershell.exe` from an unsigned executable in `AppData`.
- Sudden disabling of `taskmgr.exe`.
## Associated Threat Actors
- Unknown; marketed to entry-level cybercriminals and "script kiddies" via Telegram and YouTube marketing channels.
## Detection Methods
- **Signature-based detection:** Antivirus signatures for Go-based malware and known CrystalRAT/WebRAT code blocks.
- **Behavioral detection:**
- Monitoring for unauthorized modification of the system clipboard (Clipper behavior).
- Identification of WebSocket traffic to non-standard ports or suspicious domains.
- Detection of processes attempting to disable Task Manager or hide desktop components.
- **YARA rules:** Target the ChaCha20 implementation and the specific JSON structures used for C2 profiling.
## Mitigation Strategies
- **Prevention measures:** Implement strict application whitelisting and prevent execution from temporary directories (`%AppData%`, `%Temp%`).
- **Hardening recommendations:** Use Endpoint Detection and Response (EDR) tools to monitor for "Living off the Land" techniques (e.g., CMD execution by user-land binaries).
- **User Education:** Train staff to avoid downloading software from unofficial sources like Telegram channels or YouTube description links.
## Related Tools/Techniques
- **WebRAT (Salat Stealer):** Likely the predecessor or base code for CrystalRAT.
- **ChaCha20 Encryption:** Used for obfuscating the payload and C2 communications.
- **VNC (Virtual Network Computing):** Employed for the remote desktop module.