Date: 04/07/2026
Severity: Medium
Summary
A newly identified malware called CrystalX is being distributed as malware-as-a-service (MaaS) through private Telegram channels, offering multiple subscription tiers to cybercriminals. The Trojan combines a wide range of capabilities, including remote access (RAT), credential stealing, keylogging, clipping, and spyware functions, alongside unusual prankware features designed to disrupt and annoy victims. This multifunctional design makes CrystalX a unique and versatile threat in the evolving malware landscape.
Indicators of Compromise (IOC) List
Domains/Urls | webcrystal.lol webcrystal.sbs crystalxrat.top |
Hash | 47ACCB0ECFE8CCD466752DDE1864F3B0
2DBE6DE177241C144D06355C381B868C
49C74B302BFA32E45B7C1C5780DD0976
88C60DF2A1414CBF24430A74AE9836E0
E540E9797E3B814BFE0A82155DFE135D
1A68AE614FB2D8875CB0573E6A721B46
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | md5hash IN ("88C60DF2A1414CBF24430A74AE9836E0","E540E9797E3B814BFE0A82155DFE135D","47ACCB0ECFE8CCD466752DDE1864F3B0","49C74B302BFA32E45B7C1C5780DD0976","1A68AE614FB2D8875CB0573E6A721B46","2DBE6DE177241C144D06355C381B868C")
|
Detection Query 2 : | domainname like "webcrystal.sbs" or url like "webcrystal.sbs" or siteurl like "webcrystal.sbs" or domainname like "webcrystal.lol" or url like "webcrystal.lol" or siteurl like "webcrystal.lol" or domainname like "crystalxrat.top" or url like "crystalxrat.top" or siteurl like "crystalxrat.top" |
Reference:
https://securelist.com/crystalx-rat-with-prankware-features/119283/