Cybersecurity researchers have identified a new malware-as-a-service platform called CrystalX RAT, which combines traditional surveillance tools with disruptive prank-style features. According to Kaspersky, the service is being actively promoted online and could see rapid growth in victims.
Researchers said CrystalX RAT offers a wide range of capabilities beyond standard spyware functions, including features designed to disturb or harass victims. Its promotion through organized campaigns has raised concerns about wider adoption.
CrystalX RAT enables attackers to remotely control infected systems. It supports command execution, file uploads and downloads, file system access, real-time control, and forced system shutdown.
For data theft, the malware includes keylogging, clipboard hijacking, and the ability to extract data from browsers and desktop applications such as Steam, Discord, and Telegram.
It also supports surveillance features, including capturing video through a device’s camera and recording audio through the microphone.
In addition to espionage tools, the malware includes several disruptive functions. These allow attackers to change wallpapers, alter screen orientation, display fake notifications, move the cursor, hide desktop elements such as icons and taskbar, disable system tools, and remap mouse controls.
The malware also includes a built-in chat window, enabling attackers to communicate directly with victims, including sending messages to intimidate or demand money.
Kaspersky reported that CrystalX RAT is sold using a tiered subscription model, although pricing details were not disclosed. The service is primarily promoted through Telegram, with additional promotion via YouTube channels demonstrating its capabilities.
Researchers noted that the inclusion of prank features may also serve as a marketing strategy to distinguish the service from other malware offerings.
According to Kaspersky, CrystalX RAT appears to target less experienced attackers, often referred to as script kiddies. Despite this, it includes advanced features such as geoblocking, executable customization, anti-debugging tools, and virtual machine detection.
The malware shares similarities with WebRAT, from which some of its features appear to be derived.
The exact number of victims remains unclear, though researchers said the malware has already affected dozens of users. Most reported cases are in Russia, according to Leonid Bezvershenko, a senior security researcher at Kaspersky GReAT.
Researchers believe the malware spreads through social engineering tactics, including fake software cracks, fraudulent premium services, and activation tools.
They warned that the malware enables complete system compromise, including access to personal data that could be used for blackmail. Kaspersky expects the number of victims and geographic reach to increase.