{"id":2236,"date":"2026-04-01T06:04:59","date_gmt":"2026-04-01T06:04:59","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/a-laughing-rat-crystalx-combines-spyware-stealer-and-prankware-features\/"},"modified":"2026-04-01T06:04:59","modified_gmt":"2026-04-01T06:04:59","slug":"a-laughing-rat-crystalx-combines-spyware-stealer-and-prankware-features","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/a-laughing-rat-crystalx-combines-spyware-stealer-and-prankware-features\/","title":{"rendered":"A laughing RAT: CrystalX combines spyware, stealer, and prankware features"},"content":{"rendered":"
\n

\"\"<\/p>\n

Introduction<\/h2>\n

In March\u202f2026, we discovered an active campaign promoting previously unknown malware in private Telegram chats. The Trojan was offered as a MaaS (malware\u2011as\u2011a\u2011service) with three subscription tiers. It caught our attention because of its extensive arsenal of capabilities. On the panel provided to third\u2011party actors, in addition to the standard features of RAT\u2011like malware, a stealer, keylogger, clipper, and spyware are also available. Most surprisingly, it also includes prankware capabilities: a large set of features designed to trick, annoy, and troll the user. Such a combination of capabilities makes it a rather unique Trojan in its category.<\/p>\n

Kaspersky\u2019s products detect this threat as Backdoor.Win64.CrystalX.*, Trojan.Win64.Agent.*, Trojan.Win32.Agentb.gen.<\/p>\n

Technical details<\/h2>\n

Background<\/h3>\n

The new malware was first mentioned in January\u202f2026 in a private Telegram chat for developers of RAT malware. The author actively promoted their creation, called Webcrystal RAT, by attaching screenshots of the web panel. Many users observed that the panel layout was identical to that of the previously known WebRAT<\/a> (also called Salat\u202fStealer), leading them to label this malware as a copy. Additional similarities included the fact that the RAT was written in Go, and the messages from the bot selling access keys to the control panel closely matched those of the WebRAT bots.<\/p>\n

\"\"<\/a><\/p>\n

After some time, this malware was rebranded and received a new name, CrystalX RAT. Its promotion moved to a corresponding new channel, which is quite busy and features marketing tricks, such as access key draws and polls. Moreover, it expanded beyond Telegram: a special YouTube channel was created, aimed at marketing promotion and already containing a video review of the capabilities of this malware.<\/p>\n

\"\"<\/a><\/p>\n

The builder and anti-debug features<\/h3>\n

By default, the malware control panel provides third parties with an auto\u2011builder featuring a wide range of configurations, such as selective geoblocking by country, anti\u2011analysis functions, an executable icon, and others. Each implant is compressed using\u202fzlib and then encrypted with ChaCha20 and a hard\u2011coded 32\u2011byte key with a 12\u2011byte nonce. The malware has basic anti\u2011debugging functionality combined with additional optional capabilities:<\/p>\n