CRYSTALRAY

CRYSTALRAY is a cybercrime threat actor/campaign cluster tracked by Sysdig Threat Research Team (TRT) as the operator behind activity previously identified as SSH-Snake. TRT assigned the CRYSTALRAY identifier after observing a significant expansion in operations, with activity reportedly scaling roughly 10x to more than 1,500 victims. Observed targeting was heavily concentrated in the United States and China, and the actor conducted large-scale, country-targeted scanning and exploitation of internet-facing services. CRYSTALRAY uses a stack of open-source security tools, including zmap, asn, httpx, nuclei, platypus, and SSH-Snake, and abuses ProjectDiscovery tooling managed with pdtm. The actor generates country-specific IPv4/IPv6 CIDR ranges, scans at scale for services such as ActiveMQ, Confluence, Metabase, WebLogic, Solr, Openfire, RocketMQ, and Laravel, validates targets with httpx, and uses nuclei to identify vulnerabilities. Reported exploited vulnerabilities include CVE-2022-44877, CVE-2021-3129, and CVE-2019-18394. TRT also assessed that CRYSTALRAY likely used newer Confluence nuclei tests and in some cases used honeypot-detection tags to avoid suspected honeypots. For exploitation and payload delivery, CRYSTALRAY prefers to leverage and modify public proof-of-concept exploits, editing them to add malicious payloads such as Platypus or Sliver clients. After access, the actor establishes persistence with backdoors, including a Sliver-generated implant and a binary named hostctld, and has also hosted payloads named db.exe and linux_agent, though usage of the latter was unconfirmed. TRT reported use of Platypus, a Go-based reverse shell session manager, and identified additional Platypus dashboards on default ports 7331, 13338, and 13339. CRYSTALRAY uses SSH-Snake for lateral movement. SSH-Snake is described as a self-modifying worm that spreads using discovered SSH credentials, searches known credential locations and shell history files, and exfiltrates captured SSH keys and bash histories to a C2 server. The actor also harvests credentials from environment files, including *.env variants, and uploads collected data to attacker infrastructure. TRT reported that CRYSTALRAY collects and sells stolen credentials on black markets, including via Telegram, with stolen data including cloud provider and SaaS email credentials. In addition to credential theft, CRYSTALRAY deploys cryptominers, maintains mining persistence via cron and systemd, may host mining pools on the same server as C2 or data storage, and runs scripts to kill competing miner processes to monopolize victim resources. Known alias/sub-group relationship directly mentioned in the content: activity previously tracked as SSH-Snake is now tracked by TRT as CRYSTALRAY.