The RAT can monitor the device's clipboard and automatically replace copied cryptocurrency wallet addresses with those belonging to the attacker.
, designed to grant attackers full remote control over compromised mobile devices. Sold as a "Malware-as-a-Service" (MaaS) offering, it is often bundled with its more advanced successor, , which features even more aggressive capabilities like Google Play Protect bypass and live screen monitoring. The Architect: EVLF DEV Identity & Origin: Investigation by
It hides its presence, often using rootkit techniques to avoid detection by security software [2]. How the Threat Spreads cypher rat evlf exclusive
As an EVLF exclusive, we provide you with the following IOCs to help you detect and respond to Cypher RAT:
Instead of using these RATs for targeted, solitary attacks, EVLF adopted the model. Since around September 2022, EVLF has operated an exclusive web shop to advertise their wares, offering comprehensive toolkits to other cybercriminals. Over a three-year span, approximately 100 unique threat actors purchased lifetime licenses to use CypherRAT and CraxsRAT, utilizing EVLF’s creations to launch their own malicious campaigns. The Arsenal: CypherRAT and CraxsRAT The RAT can monitor the device's clipboard and
Regularly updating software to prevent exploit kits from functioning.
In August 2023, the Singapore-based cybersecurity firm published an exclusive, in-depth report that tore down the wall of anonymity surrounding the hacker, identifying him as the creator of both CypherRAT and CraxsRAT . The Architect: EVLF DEV Identity & Origin: Investigation
Can remotely activate the device's camera and microphone to take photos or record audio. Data Exfiltration:
The digital threat landscape is constantly evolving, with new, sophisticated malware variants emerging to bypass security measures. Among the latest concerning developments is a specialized, high-tier iteration known as the . This advanced remote access trojan (RAT) has gained attention for its stealthy capabilities, targeting systems while minimizing its digital footprint.
Be wary of apps that demand high-level accessibility permissions.
Cypher RAT operates by masquerading as legitimate applications (such as media players, games, or utility tools). Once installed on a victim's smartphone, it establishes a reverse shell connections back to the attacker’s Command and Control (C2) server. Key Capabilities and Permissions