{
	"id": "332c8ae6-ae40-441a-861f-1df4384ad295",
	"created_at": "2026-04-06T00:19:29.525243Z",
	"updated_at": "2026-04-10T03:21:35.345917Z",
	"deleted_at": null,
	"sha1_hash": "42f7ae228c6fe5c7ee4981ea4023ed6c4fdd653e",
	"title": "DarkCrystal RAT - Hackers Selling Commercial Backdoor on Russian Hacking Forums",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1323751,
	"plain_text": "DarkCrystal RAT - Hackers Selling Commercial Backdoor on\r\nRussian Hacking Forums\r\nBy Guru Baran\r\nPublished: 2022-05-10 · Archived: 2026-04-05 21:11:18 UTC\r\nSecurity researchers at BlackBerry have recently reported a new RAT dubbed DarkCrystal RAT (also known as\r\nDCRat), and it’s a specifically designed and actively maintained RAT.\r\nA large number of cybercriminal groups are offering this RAT for dirt cheap prices. This means that it is widely\r\naccessible to both professional criminal groups and beginners as well.\r\nIn spite of the fact that this remote access Trojan (RAT) appears to have been created by just one individual, it\r\nprovides an impressively effective handmade tool for gaining access to systems on a low budget.\r\nA two-month subscription to this backdoor would cost you about 500 Rubles which is less than 5 pounds or 6\r\ndollars. When special promotions are running, the price can sometimes dip even lower.\r\nIt is evident that the author is not particularly motivated by profits, which makes the price range a curious feature.\r\nDCRat was initially released in 2018, and it is a commercial Russian backdoor that is redesigned and relaunched a\r\nyear later. A single person appears to be behind the development and maintenance of this threat using the\r\npseudonyms presented below:-\r\nhttps://cybersecuritynews.com/darkcrystal-rat/\r\nPage 1 of 5\n\nboldenis44\r\ncrystalcoder\r\nКодер\r\nComponents of DCRat\r\nIn total, the DCRat product contains three components, and here below we have mentioned all the three\r\ncomponents of DCRat:-\r\nA stealer/client executable\r\nA single PHP page, serving as the command-and-control (C2) endpoint/interface\r\nAn administrator tool\r\nDCRat (aka DarkCrystal RAT)\r\nDCRat is a full-featured backdoor that is written in .NET. With DCRat, third-parties can develop plugins to extend\r\nthe functionality of the tool further, which can be completed by using a dedicated IDE called DCRat Studio,\r\ndeveloped by affiliates.\r\nThe flexibility of DCRat’s modular architecture and custom plug-in framework makes it exceptionally handy for\r\nuse in a range of nefarious activities. \r\nThis includes the following things:-\r\nhttps://cybersecuritynews.com/darkcrystal-rat/\r\nPage 2 of 5\n\nSurveillance\r\nReconnaissance\r\nInformation theft\r\nDDoS attacks\r\nDynamic code execution\r\nPrice chart\r\nA two-month license for the trojan starts at 500 RUB ($5), which is the general price for the trojan’s general use.\r\nWhile the further prices are mentioned below:-\r\nTwo-month subscription: 500 RUB ($5)\r\nOne year subscription: 2,200 RUB ($21)\r\nLifetime subscription: 4,200 RUB ($40)\r\nDCRat Offering\r\nMandiant conducted an analysis in May 2020 which traced RAT’s host infrastructure on “files.dcrat[.]ru” but at\r\npresent, the malware is hosted on a domain called “crystalfiles[.]ru” which is a different domain.\r\nhttps://cybersecuritynews.com/darkcrystal-rat/\r\nPage 3 of 5\n\nThere is no real complex interface on the crystalfiles website and the website is intended to serve as a download\r\npoint only. Further, clients and potential clients will find no other information or resources on the site.\r\nAmong the vectors that DCRat uses to spread throughout a host are:-\r\nCobalt Strike Beacons\r\nPrometheus TDS (A subscription-based crimeware-as-a-service (CaaS) solution.)\r\nMoreover, the further capabilities of this RAT include:-\r\nCapturing screenshots\r\nRecording keystrokes\r\nStealing content from the clipboard\r\nStealing data from Telegram \u0026 web browsers\r\nhttps://cybersecuritynews.com/darkcrystal-rat/\r\nPage 4 of 5\n\nApart from this, it is the Russian hacking forum lolz[.]guru through which all DCRat marketing and sales activity\r\nis carried out. In addition, there are some pre-sales queries that are handled by this same portal.\r\nYou can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.\r\nSource: https://cybersecuritynews.com/darkcrystal-rat/\r\nhttps://cybersecuritynews.com/darkcrystal-rat/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://cybersecuritynews.com/darkcrystal-rat/"
	],
	"report_names": [
		"darkcrystal-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434769,
	"ts_updated_at": 1775791295,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/42f7ae228c6fe5c7ee4981ea4023ed6c4fdd653e.pdf",
		"text": "https://archive.orkl.eu/42f7ae228c6fe5c7ee4981ea4023ed6c4fdd653e.txt",
		"img": "https://archive.orkl.eu/42f7ae228c6fe5c7ee4981ea4023ed6c4fdd653e.jpg"
	}
}