Trolling as a Service: How the New CrystalX RAT Uses “Prankware” to Torture Its Victims
Ddos 
Remote access | Image: Kaspersky Labs
In the world of cybercrime, malware is typically designed for one of two things: stealthy espionage or blatant financial theft. However, a new threat discovered by Kaspersky is breaking the mold by adding a third, more personal objectiveβprankware.
First identified in March 2026 being promoted in private Telegram chats, CrystalX RAT is being sold as a Malware-as-a-Service (MaaS) with a toolkit that is as versatile as it is mean-spirited.
CrystalX isn’t just a simple backdoor. It is a Swiss Army knife of malicious code, offered in three subscription tiers to suit different criminal budgets. On the attacker’s control panel, standard features like a stealer, keylogger, and spyware sit alongside far more unusual capabilities.
What makes this Trojan truly unique is its dedicated “prankware” module. This suite of features is designed specifically to “trick, annoy, and troll the user”.
The prankware arsenal includes:
- Cursor Shake: A command that causes the victim’s mouse cursor to move chaotically at short intervals.
- Input Blocking: Completely disabling the user’s ability to use their mouse or keyboard.
- Component Disabling: Hiding all desktop icons or disabling the Taskbar, Task Manager, and Command Prompt.
- Custom Notifications: Displaying windows with custom messages to startle or confuse the victim.
Beyond automated pranks, CrystalX allows for direct interaction. The malware supports a bidirectional chat feature, enabling the attacker to open a dialog window on the victim’s system and send messages.
While the name “CrystalX” (or Webcrystal RAT) is new, researchers have noted striking similarities to older malware. The web panel layout is nearly identical to the previously known WebRAT (also called Salat Stealer), leading many in the developer community to label it a copy.
Regardless of its lineage, the malware is under active development. As Kaspersky’s report notes:
“Our telemetry has recorded new implant versions, which indicates that this malware is still being actively developed and maintained”.
Currently, the majority of infection attempts have been recorded in Russia, but the MaaS platform has no regional restrictions and could attack anywhere globally. Because it is written in Go, a language known for its cross-platform compatibility, it poses a flexible threat to various systems.
The report concludes with a warning about the professionalization of these “trolling” tools:
“CrystalX RAT represents a highly functional MaaS platform that is not limited to espionage capabilities… but includes unique stealer and prankware features”.
With an aggressive PR campaign currently running on Telegram, researchers expect the number of victims to increase significantly in the near future. Security professionals are advised to monitor for unauthorized remote access tools and unusual system behavior that might indicate a “prank” is actually a serious security breach.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
