{"id":25406,"date":"2026-04-01T19:15:13","date_gmt":"2026-04-01T15:15:13","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=25406"},"modified":"2026-04-01T19:15:13","modified_gmt":"2026-04-01T15:15:13","slug":"prankware-crystalx-rat-maas","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/prankware-crystalx-rat-maas\/25406\/","title":{"rendered":"CrystalX RAT can flip your screen and steal your crypto"},"content":{"rendered":"<p>While this post comes out on April 1, the threat described has little to do with April Fools\u2019 Day \u2014 except for the fact that the CrystalX malicious RAT, discovered by Kaspersky experts, can do more than just gain remote access to a victim\u2019s device, steal cryptocurrency and credentials from browsers and apps, or conduct actual surveillance. It can also flip the victim\u2019s screen, swap mouse buttons, write nonsense directly onto the screen, and even block keyboard input. Furthermore, it\u2019s advertised as malware-as-a-service (MaaS) \u2014 meaning it\u2019s subscription-based \u2014 on Telegram and through instructional videos on YouTube.<\/p>\n<p>In this post, we explain some basics as to how this new malware was built, what makes it difficult to detect, and what to do so you don\u2019t end up among its victims.<\/p>\n<h2>A Swiss army knife for attackers<\/h2>\n<p>In March 2026, our experts discovered previously unknown malware circulating on private Telegram channels. Borrowing from classic marketing tactics, the Trojan was offered for purchase via three different subscription tiers. Its capabilities cover a fairly broad spectrum: judge for yourself what it can do to a victim\u2019s computer:<\/p>\n<ul>\n<li>Change desktop wallpaper to an image from a specified link<\/li>\n<li>Rotate the screen by 90, 180, or 270 degrees<\/li>\n<li>Simply shut down the computer<\/li>\n<li>Swap mouse button assignments<\/li>\n<li>Chat with the victim<\/li>\n<li>Block both keyboard input and monitor output<\/li>\n<li>Display any notification text chosen by the attacker<\/li>\n<li>Disable specific components, such as Task Manager, the command prompt, and the Windows taskbar<\/li>\n<\/ul>\n<p>Yet that\u2019s only the harmless side of the malware \u2014 the prank functionality that harks back to the joke viruses of past decades. The real damage from CrystalX comes from its stealing login credentials for Steam, Discord, Telegram, and all Chromium-based browsers. It can also monitor and change the contents of the clipboard; typically, attackers watch for a crypto wallet address to be copied, and then swap it with their own. This is a <a href=\"https:\/\/www.kaspersky.com\/blog\/efimer-trojan-steals-crypto\/54066\/\" target=\"_blank\" rel=\"noopener nofollow\">popular scheme for stealing crypto<\/a>: while intending to make a legitimate transfer, the victim copies the recipient\u2019s wallet address, but ends up pasting the scammers\u2019 address instead.<\/p>\n<p>But there\u2019s more: a keylogger feature and full device control with remote access to the screen, camera, and microphone \u2014 including video and sound recording capabilities.<\/p>\n<p>The malware was first mentioned in January 2026 in a private Telegram chat for RAT developers. At that time, this Windows Trojan was called WebCrystal RAT and, based on technical details, was revealed to be a clone of <a href=\"https:\/\/securelist.com\/webrat-distributed-via-github\/118555\/\" target=\"_blank\" rel=\"noopener\">another RAT known as WebRat<\/a>. A short time later, the author of WebCrystal rebranded it as CrystalX RAT, and began touting the Trojan on a newly created Telegram channel.<\/p>\n<p>The initial infection vector for this stealer is currently unknown, but according to telemetry the victims at the time of writing are predominantly located in Russia. And since we\u2019re continuing to find new versions of the malware, we deem it a rapidly growing and evolving threat.<\/p>\n<h2>Anyone can become a hacker<\/h2>\n<p>Developing any complex cyberattack used to come with a steep learning curve. You needed to understand cryptography and network protocols, and know how to write code that could fool antivirus solutions. It was a high bar to clear, but the malware-as-a-service model has been changing the game.<\/p>\n<p>These days, an attacker only needs basic computer literacy to rent a ready-made platform with a user-friendly user interface. The threat is becoming widespread specifically because malware creators aren\u2019t carrying out the attacks themselves anymore \u2014 they\u2019re selling shovels during a gold rush. They focus on supporting their customers, improving the user interface, and pouring money into aggressive marketing.<\/p>\n<div id=\"attachment_55540\" style=\"width: 1370px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2026\/04\/01190623\/prankware-crystalx-rat-maas-01.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-55540\" class=\"wp-image-55540 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2026\/04\/01190623\/prankware-crystalx-rat-maas-01.jpg\" alt=\"CrystalX malware control panel\" width=\"1360\" height=\"1046\"><\/a><p id=\"caption-attachment-55540\" class=\"wp-caption-text\">CrystalX malware control panel<\/p><\/div>\n<p>Hackers are even setting up YouTube channels where they use the pretext of \u201cfor educational and entertainment purposes\u201d to explain how to manage the Trojan from the control panel. Instructional videos that were once buried in the dark web have gone mainstream, putting hacking techniques in front of a broad, general audience.<\/p>\n<h2>How CrystalX bypasses security<\/h2>\n<p>No matter how technically advanced a hacking app\u2019s code is, it will die as a project without a constant stream of new clients. This makes marketing efforts vital to its survival \u2014 even if they significantly increase the risk of the developer ending up behind bars. However, the creators of CrystalX have figured out how to protect their creation.<\/p>\n<p>The control panel allows clients to build their own unique versions of the Trojan with extensive configuration options. For example, they can enable location filtering to target users in specific countries, choose an icon for the executable file, and toggle anti-analysis features. The finished Trojan is compressed using zlib and then encrypted with a ChaCha20 stream cipher using a 256-bit key and a 96-bit <a href=\"https:\/\/en.wikipedia.org\/wiki\/Cryptographic_nonce\" target=\"_blank\" rel=\"noopener nofollow\">nonce<\/a>. This ensures that every customer receives a unique version of the malware.<\/p>\n<p>CrystalX is also capable of detecting virtual machines and checking if it\u2019s running in a test or debugging environment, which complicates discovery. You can read more about the structure and functionality of this new Trojan <a href=\"https:\/\/securelist.com\/crystalx-rat-with-prankware-features\/119283\/\" target=\"_blank\" rel=\"noopener\">in our Securelist story<\/a>.<\/p>\n<p>The good news for Kaspersky users is that <a href=\"https:\/\/me-en.kaspersky.com\/home-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_blo_lnk_sm-team______\" target=\"_blank\" rel=\"noopener\">our security solutions<\/a> both detect and neutralize CrystalX.<\/p>\n<h2>How to avoid becoming a victim<\/h2>\n<p>Here are a few simple tips to help you avoid infection by CrystalX and other similar malware:<\/p>\n<ul>\n<li>Pay attention if your computer starts acting up. Spontaneous screen rotation, the keyboard or mouse behaving erratically or locking up, and random notifications or chat windows can all be signs of a CrystalX infection. If anything like that happens, kill the internet connection immediately by physically unplugging the Ethernet cable or toggling off the Wi-Fi. Then, use a flash drive to install <a href=\"https:\/\/me-en.kaspersky.com\/home-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_blo_lnk_sm-team______\" target=\"_blank\" rel=\"noopener\">our security suite<\/a> to root out the virus.<\/li>\n<li>Make sure you download software only from official websites and trusted marketplaces. Avoid pirated software, license key generators, and free versions of paid applications: these builds are the most common hiding spots for Trojans.<\/li>\n<li>Don\u2019t fall for \u201ctutorial\u201d videos that push questionable tools for \u201cadministration\u201d, \u201coptimization\u201d, or \u201csecurity testing\u201d. If the blogger says you should disable your antivirus to complete installation, that\u2019s a major red flag and a reason to stop watching.<\/li>\n<li>Be careful with files you receive through messaging apps. Password-protected archives containing \u201cimportant documents\u201d or \u201ccool private builds\u201d are typical containers for malicious software.<\/li>\n<li>Keep your accounts secure. Enable <a href=\"https:\/\/www.kaspersky.com\/blog\/what-is-two-factor-authentication\/48289\/\" target=\"_blank\" rel=\"noopener nofollow\">two-factor authentication<\/a> and <a href=\"https:\/\/www.kaspersky.com\/blog\/full-guide-to-passkeys-in-2025-part-1\/53688\/\" target=\"_blank\" rel=\"noopener nofollow\">passkeys<\/a> for your most critical services: email, messaging apps, gaming platforms, and crypto exchanges. <a href=\"https:\/\/me-en.kaspersky.com\/password-manager?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener\">Kaspersky Password Manager<\/a>\u00a0is an excellent tool for this.<\/li>\n<li>Regularly update your operating system and apps. Fresh patches plug security holes that let malware slip onto your system silently and without any interaction from your side.<\/li>\n<li>Use a reliable security suite, such as <a href=\"https:\/\/me-en.kaspersky.com\/premium?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">Kaspersky Premium<\/a>. It detects and blocks Trojan installation or download attempts.<\/li>\n<\/ul>\n<blockquote><p>Read more about remote access Trojans, miners, crypto-stealers, and other digital nasties:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/preventing-ransomware-attacks-on-backups-of-home-users\/55532\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>Ransomware now taking aim at personal backups<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/windows-stealer-stealka\/55058\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>Stealka stealer: the new face of game cheats, mods, and cracks<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/syncro-remote-admin-tool-on-ai-generated-fake-websites\/54808\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>Attacks using Syncro &amp; AI-generated websites<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/hijacked-discord-invite-links-for-multi-stage-malware-delivery\/53955\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>How malicious actors exploit Discord\u2019s invite system<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/new-exotic-rat-sambaspy\/52179\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>SambaSpy: a new remote access Trojan<\/strong><\/a><\/li>\n<\/ul>\n<\/blockquote>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n","protected":false},"excerpt":{"rendered":"<p>The new CrystalX remote access Trojan looks like the prank viruses of the 90s on the surface, but it causes a lot more damage. It spies on all that\u2019s happening on your computer, steals cryptocurrency and accounts, and gives the attacker full control over your device. We break down how it works, and how to avoid becoming a victim.<\/p>\n","protected":false},"author":312,"featured_media":25409,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1486],"tags":[1505,575,714,682,2151,738,783,692],"class_list":{"0":"post-25406","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-cryptocurrencies","9":"tag-great","10":"tag-rat","11":"tag-spyware","12":"tag-stealers","13":"tag-surveillance","14":"tag-tracking","15":"tag-trojans"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/prankware-crystalx-rat-maas\/25406\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/prankware-crystalx-rat-maas\/30356\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/prankware-crystalx-rat-maas\/30203\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/prankware-crystalx-rat-maas\/41616\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/prankware-crystalx-rat-maas\/55537\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/prankware-crystalx-rat-maas\/33372\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/prankware-crystalx-rat-maas\/30473\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/prankware-crystalx-rat-maas\/36092\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/prankware-crystalx-rat-maas\/35744\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/rat\/","name":"RAT"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25406","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/312"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=25406"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25406\/revisions"}],"predecessor-version":[{"id":25410,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25406\/revisions\/25410"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/25409"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=25406"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=25406"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=25406"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}