Overview
- Kaspersky, which published a technical report Wednesday, says CrystalX is a subscription malware service sold on Telegram and shown off on YouTube.
- Buyers use a web panel to build their own payloads with geofencing and anti‑analysis, then receive zlib‑compressed, ChaCha20‑encrypted implants that communicate over WebSocket.
- The malware gives full remote control through a built‑in VNC with command execution, file transfer, and silent recording from the mic and camera.
- It also steals keystrokes and clipboard data to capture logins and swap crypto wallet addresses, while the separate prank panel can rotate screens, block input, hide the taskbar, show fake alerts, or open a chat box.
- Telemetry points to dozens of attempts mostly in Russia, the stealer module is temporarily disabled for an upgrade, the initial infection path is unknown, and active development suggests a wider spread is possible.