Security Experts:

Connect with us

Hi, what are you looking for?



DarkCrystal RAT Offers Many Capabilities for Very Low Price

BlackBerry’s security researchers have performed a deep analysis of the DarkCrystal RAT and the dark web activity of its developer.

BlackBerry’s security researchers have performed a deep analysis of the DarkCrystal RAT and the dark web activity of its developer.

Active since at least 2019, the malware appears to be the work of a single Russian-speaking developer who is offering it for only $6 for a two-month period, or $40 for a lifetime license, which is only a fraction of the price of similar tools.

“This price range is a curious feature, as it makes it seem like the author is not particularly profit-driven. It could be that they’re simply casting a wide net, trying to get a little money from a lot of maliciously minded people. It could also be that they have an alternative source of funding, or perhaps this is a passion project rather than their main source of income,” BlackBerry says.

Also referred to as DCRat and mainly sold on Russian underground forums, DarkCrystal RAT has a modular design that makes it suitable for dynamic code execution, data theft, surveillance, reconnaissance, or for launching distributed denial-of-service (DDoS) attacks.

Once executed on a victim machine, the malware harvests extensive system information and sends it to its command and control (C&C) server, including host and user names, location, privileges, installed security tools, motherboard and BIOS data, and Windows version.

DarkCrystal RAT can take screenshots, log keystrokes, and steal various types of data from the system, including clipboard content, browser cookies/passwords/history, credit card data, and accounts for Telegram, Discord, Steam, FileZilla.

[ READ: Stealthy ‘SockDetour’ Backdoor Used in Attacks on U.S. Defense Contractors ]

There are three components included in the product, namely the stealer/client executable, a C&C interface, and an executable written in JPHP (a PHP implementation running on a Java virtual machine), which functions as an administrator tool.

Written in .NET, the DarkCrystal RAT client – which incorporates a plugin framework where affiliates can create plugins for subscribers to download and use – is constantly updated, the same as the administrator tool and the officially released plugins.

Third-party developers have access to a dedicated IDE called DCRat Studio that can be used to build plugins for the malware, while subscribers are provided with access to a list of supported plugins.

The entire DarkCrystal RAT bundle is being hosted on crystalfiles[.]ru – it was moved here from dcrat[.]ru – a simple site used for download purposes only. Sales and marketing operations are done on a Russian hacking forum, while news and updates are announced via Telegram.

The malware author posts on the hacking forum using the moniker Кодер (Coder), but might have used the username “boldenis44” previously, as some users call them by this name. The same username is used on GitHub, while on Telegram they post as “@boldenis.”

BlackBerry also notes that the malware author claims on their forum profile that they are Russian and working alone.

The researchers were able to find “Boldenis44” accounts on other dark web forums, as well as a “Darkcrystal Rat” (dcrat_1994) profile on Russian social network VKontakte. The crystalfiles[.]ru URL was also mentioned by another VKontakte account, Rodion Balkanov (Родион Балканов), which is no longer available.

“There are certainly programming choices in this threat that point to this being a novice malware author who hasn’t yet figured out an appropriate pricing structure. Choosing to program the threat in JPHP and adding a bizarrely non-functional infection counter certainly point in this direction. It could be that this threat is from an author trying to gain notoriety, doing the best with the knowledge they have to make something popular as quickly as possible,” BlackBerry notes.

Related: ‘Serpent’ Backdoor Used in Malware Attacks on French Entities

Related: Chinese Researchers Detail Linux Backdoor of NSA-Linked Equation Group

Related: Symantec: Super-Stealthy ‘Daxin’ Backdoor Linked to Chinese Threat Actor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.