Cybersecurity firm Kaspersky has uncovered an active malicious campaign distributing a previously undocumented remote access trojan (RAT) that combines extensive data theft capabilities with an unusual “prankware” feature designed to psychologically taunt its victims.

Dubbed CrystalX RAT, the malware is being sold as malware-as-a-service (MaaS) and actively promoted on YouTube and Telegram, raising the likelihood of widespread adoption by a broad range of threat actors, including less technically skilled operators.

A 360-degree compromise tool

CrystalX RAT bundles stealer, keylogger, clipper, and spyware capabilities into a single implant. It collects system information, extracts credentials from Steam, Discord, and Telegram, and harvests data stored in web browsers. It also poses a direct threat to cryptocurrency users via a browser-based clipper that silently replaces crypto wallet addresses during transactions.

Beyond data theft, the malware enables full surveillance — capturing screenshots, recording microphone audio, and streaming video from both the victim’s webcam and screen.

Prankware adds psychological dimension to attacks

What sets CrystalX RAT apart is its prankware module, actively promoted by its developers. Operators can shake the victim’s mouse cursor, change screen orientation, hide desktop icons, alter wallpapers, force system shutdowns, and deliver real-time pop-up messages directly to the infected machine. While superficially disruptive, Kaspersky notes these features introduce a visible and distressing psychological element to attacks that goes beyond typical silent intrusions.

“Such a diverse feature set effectively enables a 360-degree compromise of the victim and a complete loss of privacy. Beyond gaining access to account credentials, the stolen data could potentially be used for blackmail. Our telemetry is already detecting new versions of the implants, indicating that this malware is still actively developed and maintained. We expect the number of victims to grow significantly and its geographic spread to expand in the near future.” — Leonid Bezvershenko, Senior Security Researcher, Kaspersky GReAT

How to stay protected

Kaspersky advises users to avoid opening files received via messaging apps or email from unknown sources, download software only from official or reputable sources, and enable file extension visibility in Windows settings to help identify suspicious executables. The use of a comprehensive security solution is also recommended. Full indicators of compromise are available on Securelist.com.