Kaspersky researchers have uncovered CrystalX RAT, a newly identified remote access trojan with an unusually broad and intrusive feature set including the ability not only to steal data and spy on victims, but also to taunt them through on‑screen pranks.
Identified by Kaspersky’s Global Research & Analysis Team (GReAT), CrystalX RAT is being actively distributed in the wild and sold to cybercriminals via a Malware‑as‑a‑Service (MaaS) model. Its developers are openly advertising the tool on platforms like YouTube and Telegram, increasing the likelihood that both experienced threat actors and inexperienced operators will deploy it.
CrystalX combines traditional RAT capabilities with stealer, keylogger, clipper, and spyware modules. It can harvest extensive data from infected systems, including system information, browser data, and credentials for platforms like Discord, Steam, and Telegram. The malware also targets cryptocurrency users through a clipper module that replaces copied wallet addresses with those controlled by attackers.
“This malware delivers a 360‑degree compromise from data theft to psychological manipulation and its spread is only just beginning.”
— Leonid Bezvershenko
Beyond theft, CrystalX engages in full-scale surveillance. It can capture screenshots, record audio from a microphone, and take video from webcams and the user’s display giving attackers deep visibility into victims’ activities.
One of the malware’s most striking elements is its “prankware” functionality. Operators can manipulate the victim’s device in real time by shaking the mouse cursor, changing display orientation, hiding icons, altering wallpapers, shutting down systems, and sending pop‑up messages. These disruptive actions add a psychological layer to the attack by making the intrusion actively visible and distressing.
Kaspersky reports that attacks are currently targeting users in Russia, though the MaaS distribution model means global spread is likely.
Bezvershenko, senior security researcher at GReAT, warned that the malware is rapidly evolving. New versions have already appeared, and telemetry shows dozens of current victims. “We expect the number of infections and the geographic footprint to grow significantly,” he said.
Kaspersky advises users to avoid suspicious downloads, rely on official software sources, enable file extension visibility, and use comprehensive security solutions.