**CrystalRAT**, which emerged in January with a tiered subscription model, provides remote access, data theft, keylogging, and clipboard hijacking capabilities. **Kaspersky** researchers have noted strong similarities to **WebRAT** (Salat Stealer), including the panel design, **Go**-based code, and bot-based sales system. ### CrystalX RAT: Technical Deep Dive According to **Kaspersky**, the malware boasts a user-friendly control panel and an automated builder tool with customization options like geoblocking, executable customization, and anti-analysis features (anti-debugging, VM detection, proxy detection, etc.). The generated payloads are protected using zlib compression and **ChaCha20** symmetric stream cipher encryption. Communication with the command-and-control (C2) server occurs via WebSocket, transmitting host information for profiling and infection tracking.  *Telegram channel promoting CrystaX RAT. Source: Kaspersky* CrystalX's infostealer component, currently undergoing an upgrade, targets **Chromium**-based browsers (via the ChromeElevator tool), **Yandex**, and **Opera**. It also harvests data from desktop applications like **Steam**, **Discord**, and **Telegram**. The remote access module enables command execution via CMD, file upload/download, file system browsing, and real-time machine control through built-in VNC. Additionally, **CrystalX** possesses spyware capabilities, including video and audio capture from the microphone. It also includes a keylogger that streams keystrokes to the C2 in real time and a clipper tool that swaps wallet addresses in the clipboard.  *Remote desktop function in CrystalX RAT panel. Source: Kaspersky* ## The Prankware Element What distinguishes **CrystalX** is its array of prankware features, which include: * Changing the desktop wallpaper * Altering display orientation * Forcing system shutdown * Remapping mouse buttons * Disabling input devices (keyboard/mouse/monitor) * Displaying fake notifications * Changing the cursor position * Hiding desktop icons, the taskbar, Task Manager, and the Command Prompt executable * Providing an attacker-victim chat window While seemingly frivolous, these features could serve as a distraction while data theft occurs or attract less sophisticated threat actors. To mitigate the risk of infection, users should exercise caution when interacting with online content and avoid downloading software from untrusted sources.