CrystalX RAT Flips Screens While Emptying Crypto Wallets

A new malware-as-a-service offering blends credential theft, remote access, and something rarely seen in commercial malware: built-in features to torment victims by flipping their screens, swapping mouse buttons, and forcing chat windows open.

Kaspersky researchers published their analysis of CrystalX RAT on April 1, 2026, after discovering the malware being actively marketed on Telegram channels. What sets it apart from the crowded infostealer market isn't just its technical capabilities—it's the deliberate inclusion of "prankware" functions that let operators mock victims in real time.

From WebCrystal to CrystalX

The malware first appeared in January 2026 in private Telegram channels under the name "WebCrystal RAT." By March, it had been rebranded as CrystalX RAT and launched an aggressive marketing push including YouTube videos framed as "educational tutorials."

Kaspersky notes that CrystalX shares "strong similarities to WebRAT (Salat Stealer), including the same panel design, Go-based code, and a similar bot-based sales system." The connection suggests the developer either cloned WebRAT's infrastructure or is the same actor operating under a new brand.

The malware is sold on a subscription model with three pricing tiers. Each customer receives a uniquely encrypted build—the payload is compressed with zlib and encrypted using ChaCha20 with a hard-coded 256-bit key and 96-bit nonce.

Credential Theft That Bypasses Chrome's Protections

CrystalX targets credentials stored in Steam, Discord, Telegram, and all Chromium-based browsers. For Chrome and Edge, it deploys a utility called ChromeElevator to extract saved passwords despite Chrome's app-bound encryption introduced to block exactly this kind of attack.

Separate extraction modules handle Yandex and Opera browsers, which use different storage mechanisms.

The stealer component mirrors what we've seen in active campaigns from AuraStealer and Lumma Stealer—both of which have dominated infostealer distribution in early 2026. CrystalX joins an increasingly competitive market where operators differentiate through pricing, features, and support responsiveness.

Real-Time Keylogging and Cryptoclipping

Beyond static credential theft, CrystalX includes a keylogger that streams captured keystrokes to the command-and-control server over WebSocket in real time. Operators can watch victims type passwords, messages, and sensitive data as it happens.

The cryptoclipping function monitors the Windows clipboard for cryptocurrency wallet addresses. When detected, the malware silently replaces the address with one controlled by the attacker. Kaspersky confirmed support for Bitcoin, Litecoin, Monero, Avalanche, and Dogecoin wallets. Victims who copy-paste wallet addresses for transactions end up sending funds to attackers instead of their intended recipients.

This technique isn't new, but CrystalX's implementation injects the clipper directly into Chrome and Edge browser processes, making it persistent across browser sessions without requiring a separate running process.

Prankware: Mockery as a Feature

The prankware capabilities distinguish CrystalX from typical commercial RATs. Operators can:

• Rotate the victim's screen 90, 180, or 270 degrees
• Swap left and right mouse buttons
• Add a persistent cursor shake effect
• Change the desktop wallpaper to any image URL
• Block keyboard input entirely
• Hide the Windows taskbar, Task Manager, and command prompt
• Display arbitrary fake notification popups
• Force shutdown the computer
• Open a two-way chat window to communicate directly with the victim

These aren't incidental features—they're prominently advertised in marketing materials. The inclusion suggests CrystalX operators either target victims for harassment alongside profit, or the developers designed it for scenarios where psychological intimidation serves a purpose.

The chat function is particularly unusual. While most RATs operate silently to avoid detection, CrystalX lets operators announce their presence and interact with victims. Whether this serves extortion purposes, personal entertainment, or some form of hacktivism remains unclear.

Anti-Analysis and Evasion

CrystalX employs multiple layers of detection evasion:

• VM detection: Checks for VMware, VirtualBox, and Hyper-V guest tools through process enumeration and hardware characteristics
• Debugger detection: Uses infinite loops checking debug flags, hardware breakpoints, and execution timing
• Proxy detection: Searches the registry for proxy settings and blacklists common interception tools (Fiddler, Burp Suite, mitmproxy)
• Security bypasses: Patches AmsiScanBuffer, EtwEventWrite, and MiniDumpWriteDump to evade Windows Defender and forensic analysis

The anti-analysis package means security researchers need to invest significant effort to study the malware—a selling point for operators who want to avoid takedowns.

Indicators of Compromise

Kaspersky published the following IOCs:

C2 Domains:

• webcrystal[.]lol
• webcrystal[.]sbs
• crystalxrat[.]top

Sample Hashes (MD5):

• 47ACCB0ECFE8CCD466752DDE1864F3B0
• 2DBE6DE177241C144D06355C381B868C
• 49C74B302BFA32E45B7C1C5780DD0976
• 88C60DF2A1414CBF24430A74AE9836E0
• E540E9797E3B814BFE0A82155DFE135D

Kaspersky detects the malware as Backdoor.Win64.CrystalX., Trojan.Win64.Agent., and Trojan.Win32.Agentb.gen.

Geographic Scope and Outlook

Initial infections have been observed exclusively in Russia, but the MaaS platform imposes no regional restrictions. Given the active marketing campaign on Telegram and YouTube, Kaspersky expects infections to spread globally.

The combination of proven stealer techniques with novel prankware features makes CrystalX a threat worth monitoring. Research shows that stolen credentials reach dark web markets within 48 hours of infection—a timeline that leaves little room for organizations to respond before attackers monetize access.

Why This Matters

CrystalX represents the maturation of malware-as-a-service into a product category with real feature differentiation. The prankware additions aren't technically sophisticated, but they signal a market where operators compete on more than just stealer capabilities.

For defenders, the immediate concern is the ChromeElevator bypass and clipboard hijacking. Organizations handling cryptocurrency should implement hardware wallet requirements for any significant transfers. Browser-based credential managers remain high-value targets—credential managers with OS-level protection or hardware-backed authentication offer better resistance to this class of attack.

The campaign also reinforces the risk of pirated software and "free tools" promoted through Telegram and YouTube. Both platforms have been distribution vectors for Vidar and other infostealers through fake CAPTCHA pages and ClickFix social engineering. CrystalX's operators are using the same playbook.