CrystalX RAT: The Malware That Spies, Steals, and Pranks

In early 2026, cybersecurity researchers uncovered a new and highly versatile malware called CrystalX (initially known as Webcrystal RAT). This threat is being marketed as a Malware-as-a-Service (MaaS) through private Telegram channels, offering three subscription tiers and an unusual mix of capabilities. Beyond standard remote access and data theft, CrystalX includes prankware features designed to annoy or troll victims. This article answers key questions about this unique trojan, from its discovery and technical details to its detection and impact.

1. What is CrystalX and how was it discovered?

CrystalX is a remote access trojan (RAT) first mentioned in January 2026 within a private Telegram chat for RAT developers. Its creator actively promoted it under the name Webcrystal RAT, sharing screenshots of its web panel. Observers noted that the panel layout was nearly identical to that of the earlier WebRAT (also called Salat Stealer), leading many to label it a copy. Both are written in Go, and the bot messages for selling access keys matched those of WebRAT bots. The malware was later rebranded as CrystalX RAT and moved to a new, active Telegram channel featuring marketing tactics like key draws and polls. The campaign expanded to YouTube, where a promotional video showcased its features. Kaspersky discovered the active campaign in March 2026 and began tracking it.

2. How does CrystalX operate as a malware-as-a-service?

CrystalX is offered as a MaaS (Malware-as-a-Service) with three subscription tiers, providing third-party actors access to a powerful control panel. The panel includes an auto-builder that allows users to configure the implant with various options, such as selective geoblocking by country, anti-analysis features, and custom executable icons. The malware is compressed using zlib and encrypted with ChaCha20 using a hardcoded 32-byte key and a 12-byte nonce, ensuring the payload remains obfuscated during transmission. Operators can purchase access keys from Telegram bots, with different tiers likely offering varying feature sets or durations. This commercialization lowers the barrier for attackers to deploy sophisticated spyware without deep technical knowledge.

3. What makes CrystalX unique compared to other RATs?

What sets CrystalX apart is its combination of traditional RAT features with spyware, stealer, keylogger, clipper, and prankware capabilities. While many trojans offer remote access or data theft, the inclusion of prankware—a large set of features designed to trick, annoy, or troll the user—is highly unusual. Examples of prank behaviors could include fake error messages, screen pranks, or unpredictable system changes that serve no malicious purpose other than harassment. This unusual mix makes CrystalX a laughing RAT, as the operator can both steal sensitive information and torment the victim simultaneously. Most malware focuses on silent extraction; CrystalX openly interacts with the user in disruptive ways, blurring the line between espionage and cyberbullying.

4. What technical anti-analysis features does CrystalX have?

CrystalX incorporates several anti-debugging and anti-analysis mechanisms to evade detection and reverse engineering. By default, its builder includes optional features such as:

• MITM Check: It reads the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings to detect proxy settings and blacklists processes like Fiddler, Burp Suite, and mitmproxy. It also checks for certificate presence of these tools.
• VM Detection: The malware inspects running processes, hardware characteristics, and guest tools to determine if it’s running inside a virtual machine.
• Anti-attach Loop: An infinite loop constantly checks for a debug flag, debug port, hardware breakpoints, and timing anomalies.
• Stealth Patches: It patches functions such as AmsiScanBuffer, EtwEventWrite, and MiniDumpWriteDump to subvert security monitoring and memory dump analysis.

These techniques make it harder for security tools and analysts to study the malware’s behavior.

5. What data does CrystalX steal and how?

Once executed, CrystalX establishes a connection to its command-and-control (C2) server and begins data collection. Its stealer module can harvest credentials, cookies, and other sensitive information from browsers and applications. A keylogger captures keystrokes, while a clipper monitors clipboard content—commonly used to replace cryptocurrency wallet addresses. Additionally, the spyware component can capture screenshots, record microphone and webcam feeds, and log system activity. The prankware features do not steal data but instead perform disruptive actions, such as opening and closing the CD tray, toying with mouse movements, or displaying fake alerts. All stolen data is exfiltrated to the C2 server controlled by the attacker.

6. How does CrystalX protect itself from detection?

Besides its anti-analysis features, CrystalX uses encryption and compression to hide its payload. The implant is compressed with zlib and then encrypted with the ChaCha20 algorithm using a hardcoded key and nonce. This layered obfuscation makes static analysis difficult. The control panel offers an auto-builder with options to customize the icon and behavior, further reducing the chance of signature-based detection. The malware also employs geoblocking to avoid infecting systems in certain countries, likely to evade law enforcement or security researchers. By combining encryption, stealth patches, and anti-debug loops, CrystalX attempts to remain hidden from both automated scans and manual analysis.

7. What detection names does Kaspersky use for this threat?

Kaspersky’s products detect the various components and variants of CrystalX under the following names:

• Backdoor.Win64.CrystalX.*
• Trojan.Win64.Agent.*
• Trojan.Win32.Agentb.gen

These signatures cover the backdoor functionality, trojan agents, and generic detection for Win32 variants. Users should keep their antivirus definitions up to date to identify and block this threat effectively. Given that CrystalX actively markets itself through Telegram and YouTube, it may evolve quickly, so security vendors will likely adjust detection rules as new versions appear.

8. What is the significance of the prankware aspect?

The inclusion of prankware capabilities in CrystalX is significant because it represents a shift in malware design. Traditionally, RATs and stealers operate silently to avoid alerting the victim. CrystalX, however, allows attackers to actively engage with the user in annoying or amusing ways—like random pop-ups, forced screen movement, or playing sounds. This can be used to harass the victim, cause panic, or simply waste their time. While the pranks do not directly steal data, they can serve as a distraction, making the user less likely to notice the actual data theft occurring in the background. The combination of spyware and prankware makes CrystalX a unique and unsettling tool, appealing to a niche of cybercriminals who value disruption as much as information theft.