← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - A laughing RAT: CrystalX combines spyware, stealer, and prankware features
In March 2026, we discovered an active campaign promoting previously unknown malware in private Telegram chats. The Trojan was offered as a MaaS (malware‑as‑a‑service) with three subscription tiers. It caught our attention because of its extensive arsenal of capabilities. On the panel provided to third‑party actors, in addition to the standard features of RAT‑like malware, a stealer, keylogger, clipper, and spyware are also available. Most surprisingly, it also includes prankware capabilities: a large set of features designed to trick, annoy, and troll the user. Such a combination of capabilities makes it a rather unique Trojan in its category.
Indicators of Compromise (13)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-MD5 | 1a68ae614fb2d8875cb0573e6a721b46 | — | 2026-04-03 | |
| FileHash-MD5 | 2dbe6de177241c144d06355c381b868c | — | 2026-04-03 | |
| FileHash-MD5 | 47accb0ecfe8ccd466752dde1864f3b0 | — | 2026-04-03 | |
| FileHash-MD5 | 49c74b302bfa32e45b7c1c5780dd0976 | — | 2026-04-03 | |
| FileHash-MD5 | 88c60df2a1414cbf24430a74ae9836e0 | — | 2026-04-03 | |
| FileHash-MD5 | e540e9797e3b814bfe0a82155dfe135d | — | 2026-04-03 | |
| FileHash-SHA1 | c67344e14af1560bf820375d144ea4ea7a21333b | SHA1 of 1a68ae614fb2d8875cb0573e6a721b46 | 2026-04-03 | |
| FileHash-SHA1 | c922a2e4b0cf9d4795b66d99771517b58485450a | SHA1 of 47accb0ecfe8ccd466752dde1864f3b0 | 2026-04-03 | |
| FileHash-SHA256 | 912fcd1ba138a8af6ada02a5d62a5a918ff06d4618c041dbf075a60ea37d4d09 | SHA256 of 1a68ae614fb2d8875cb0573e6a721b46 | 2026-04-03 | |
| FileHash-SHA256 | e08610b28e637679feaf243622adf3386a04bd24c915fe64c908d4d68b9fd203 | SHA256 of 47accb0ecfe8ccd466752dde1864f3b0 | 2026-04-03 | |
| domain | crystalxrat.top | — | 2026-04-03 | |
| domain | webcrystal.lol | — | 2026-04-03 | |
| domain | webcrystal.sbs | — | 2026-04-03 |