A new piece of Windows malware is turning heads in the cybersecurity world. CrystalX RAT is a remote access Trojan discovered in early 2026. It combines spyware, credential theft, and cryptocurrency hijacking with “prankware” features. These features flip your screen, scramble your mouse buttons, and lock your keyboard, all while quietly draining your data in the background.
What Is CrystalX RAT?
CrystalX RAT is a malware-as-a-service (MaaS) tool. Its creators sell access to it on a subscription basis rather than using it themselves. Security researchers at Kaspersky first spotted it in January 2026 in a private Telegram chat for malware developers. At that point, it went by the name Webcrystal RAT. The developer soon rebranded it as CrystalX and launched a dedicated Telegram channel to market it more aggressively.
The malware targets Windows systems and runs on Go, a programming language popular among malware authors. Go compiles efficiently and resists reverse-engineering. Promotion has since expanded beyond Telegram to a dedicated YouTube channel, where the developer posts video walkthroughs to attract subscribers.
Three Subscription Tiers and a Builder Tool
CrystalX RAT runs on a three-tier subscription model. Buyers get access to a web-based control panel and an automated payload builder. That builder lets subscribers customize their version of the malware before deploying it. Options include restricting infections to specific countries, choosing a custom icon for the malicious file, and toggling anti-analysis protections on or off.
Each payload gets compressed and encrypted using the ChaCha20 stream cipher. This ensures every subscriber receives a unique file, which makes antivirus detection harder because no two builds look the same. The malware also checks whether it runs inside a virtual machine or a debugging environment. Security researchers use these tools to analyze threats. If CrystalX RAT detects one, it changes its behavior to avoid scrutiny.
The infected device communicates with the attacker’s command-and-control server over WebSocket. This protocol supports real-time, two-way communication and avoids the red flags that older malware communication methods tend to raise.
What CrystalX RAT Actually Does
The malware’s capabilities fall into several overlapping categories.
Stealing Credentials and Sensitive Data
CrystalX targets login credentials stored in Chromium-based browsers. It also goes after accounts on Steam, Discord, and Telegram. It records every keystroke the victim types and streams them to the attacker in real time. The malware packages stolen data in JSON format and pulls it from temporary directories on the infected machine before sending it out.
Hijacking Cryptocurrency Wallets
The clipboard hijacker monitors what the victim copies. When it spots a cryptocurrency wallet address, it silently swaps it for one the attacker controls. Any crypto transaction the victim attempts could send funds to the wrong destination without them ever noticing.
The clipper works by injecting a hidden extension into Chrome or Edge. That extension monitors clipboard activity in the background. The swap happens fast enough that most users never catch it.
Remote Control and Surveillance
Attackers can view and control the victim’s desktop remotely. They can also access the camera and microphone, and read or modify clipboard contents at will. The keylogger captures all keystrokes and transmits them in real time, making it one of the more invasive elements in the package.
The Prankware Angle
What sets CrystalX RAT apart in a crowded market is its prankware feature set. These capabilities do not steal anything. They disrupt and confuse the victim instead. The malware can rotate the screen, swap mouse buttons, disable keyboard input, hide the taskbar and desktop icons, block access to Task Manager, and display messages directly on the screen.
These features almost certainly target less experienced threat actors, sometimes called script kiddies, who want software that feels powerful and entertaining. But there is a more calculated use for them too. While the victim tries to figure out why their mouse is behaving strangely, the data theft modules keep running in the background without interruption.
Who Is at Risk?
Confirmed infections so far appear primarily in Russia, but the MaaS platform carries no built-in geographic restrictions. Any subscriber can deploy it anywhere. Kaspersky’s telemetry has already identified multiple new versions, which points to active development and a growing operation.
Because CrystalX RAT comes as a subscription product with video tutorials, it lowers the barrier to entry for cybercriminals considerably. Someone with no coding knowledge can rent access, follow the YouTube guide, and deploy a sophisticated piece of malware within hours.
Final Thoughts
CrystalX RAT shows how fast the malware-as-a-service market is moving. One subscription package now covers data theft, surveillance, cryptocurrency hijacking, and screen chaos designed to throw victims off. If your screen starts behaving strangely, that may not be a glitch. Keeping software updated, avoiding downloads from unofficial sources, and running a trusted security solution remain the strongest first lines of defense against threats like CrystalX RAT.
