CrystalRAT malware-as-a-service sells remote access, crypto theft, and keylogging on Telegram

Kaspersky researchers uncovered CrystalRAT, a new malware-as-a-service sold via Telegram and promoted on YouTube with a tiered subscription model. Built in Go, it combines remote access via VNC, keylogging, clipboard hijacking for crypto wallet theft, browser credential stealing from Chromium/Yandex/Opera, and data harvesting from Steam, Discord, and Telegram. Each buyer gets a uniquely encrypted build using ChaCha20, making detection harder. Kaspersky warns that new versions are still shipping, and the victim count is likely to grow.

Check

Alert staff about fake software cracks and activators - the most common delivery vector for CrystalRAT infections.

Affected

Windows users who download software from unofficial sources. Current victims are primarily in Russia, but the MaaS model means geographic expansion is expected.

Fix

Block known CrystalRAT C2 infrastructure at the network level. Ensure endpoint detection tools are updated with Kaspersky's published IOCs. Train staff to verify crypto wallet addresses before confirming transfers - clipboard hijacking swaps addresses silently.