Free | Craxs Rat

Craxs RAT is a sophisticated and dangerous Remote Access Trojan (RAT) designed specifically for the Android operating system. Developed by a threat actor known as EVLF, who is believed to be based in Syria, it has evolved from the leaked source code of Spymax (also known as SpyNote). Today, it is sold as "Malware-as-a-Service" (MaaS) on platforms like Telegram, providing cybercriminals with advanced tools to completely hijack mobile devices. Core Capabilities and Features

The primary goal of Craxs RAT is to grant an attacker full remote control over an infected device. Its feature set includes:

Live Screen Control (VNC): Attackers can view the device screen in real-time at up to 60 FPS, perform gestures, and use the device's keyboard.

Surveillance: Silent recording of audio via the microphone, taking secret photos using both front and rear cameras, and tracking the device's live GPS location.

Data Exfiltration: Complete access to the file manager (download/upload), reading and sending SMS messages, and extracting contact lists and call logs.

Security Bypass: It is particularly notorious for its ability to bypass Google Play Protect, as well as black screens used by banking and crypto apps to prevent screen capturing.

Keylogging and Screen Reading: Captures everything typed by the user and can scan the screen to steal secret phases from crypto wallets like Trust Wallet or bypass Google Authenticator codes. Deployment and Evolution

Craxs RAT is typically distributed through social engineering and phishing campaigns:

Infection Vector: Victims are often lured into downloading malicious APK files disguised as legitimate apps, such as updates for government services (e.g., "Mincifry" in Russia) or anti-virus software.

Persistence: Once installed, the malware uses Accessibility Services to grant itself extensive permissions automatically. It also employs anti-deletion mechanisms, such as closing the "Uninstall" or "Device Admin" screens if a user tries to access them.

Recent Versions: The developer released Craxs RAT v7.5 in April 2024, which introduced even more robust obfuscation and stealth features. A successor or related variant known as G700 RAT has also been identified, targeting financial and cryptocurrency environments. Pricing and Availability

The tool is marketed on specialized hacker forums and Telegram channels:

Craxs RAT is a highly dangerous Android Remote Access Trojan (RAT) developed by a threat actor known as EVLF. It is sold as a tool for cybercriminals to create "binded" or fake applications that look legitimate but grant attackers total control over a victim's mobile device.  Core Capabilities 

Craxs RAT is designed for stealth and complete data harvesting. Key features include: 

Real-time Remote Control: Attackers can view the screen, take screenshots, and manipulate the device.

Data Exfiltration: It steals banking credentials, SMS messages, call logs, contacts, and WhatsApp data.

Surveillance: The malware can record audio through the microphone and even activate cameras.

Accessibility Exploitation: It abuses Android's Accessibility Services to bypass security prompts and automate malicious actions.  Evolution & Distribution 

Origin: Developed by EVLF, who sells versions (up to version 7.5 as of early 2024) via dedicated Telegram channels.

Targeting: Heavily used in financial scams across Southeast Asia (particularly Singapore and Malaysia).

New Variants: A sophisticated evolution known as G700 has been identified, marketing itself as the "next generation" of Craxs RAT with enhanced evasion tactics.  Common Attack Scenarios 

Phishing: Victims are directed to malicious websites via SMS or social media to download "utility" apps, "discount" shopping apps, or fake anti-scam tools.

Social Engineering: Threat actors sometimes impersonate authority figures (e.g., senior officers) on WhatsApp to trick users into installing the payload.

Fake Branding: Campaigns have impersonated over 10 different brands, including pet grooming salons and dumpling shops, to lure victims.  Recommended Protections 

Avoid Unofficial Sources: Never download apps (.APK files) from third-party websites or links sent via message.

Check Permissions: Be extremely wary of apps asking for "Accessibility" or "Device Administrator" permissions unless there is a clear, legitimate reason.

Use Security Software: Use reputable mobile antivirus that can flag known signatures of Craxs RAT.

Official Reporting: If compromised, report the incident to authorities such as the FBI IC3 or your local cybercrime unit.  G700 : The Next Generation of Craxs RAT - cyfirma craxs rat

The following essay explores , one of the most sophisticated and dangerous Remote Access Trojans (RATs) targeting Android devices today. The Invisible Hijacker: Unmasking Craxs RAT

In the quiet, high-stakes arena of modern cybersecurity, a new predator has emerged to challenge the safety of the world’s most popular mobile operating system. Known as

, this potent piece of malware has evolved from a simple surveillance tool into a comprehensive "Malware-as-a-Service" (MaaS) platform. Operating in the shadows, it grants attackers near-total control over a victim's digital life, often before they even realize their security has been breached. Origins and the "EVLF" Legacy The story of Craxs RAT begins with the leak of the Spymax RAT

source code in 2020. A developer operating under the moniker

—believed to be based in Syria—took this foundation and refined it into a far more lethal tool. Unlike generic malware, Craxs RAT is sold as a professional builder, allowing even low-skilled cybercriminals to generate custom malicious apps for a fee. This commercialization has fueled its rapid spread across global hacker forums and Telegram channels. Technical Sophistication and Capabilities

What makes Craxs RAT particularly terrifying is its ability to bypass standard security measures like Google Play Protect

. Once installed—typically through phishing links or fake APKs disguised as legitimate apps—it requests extensive permissions, including access to Accessibility Services

. This is the key to its power; by hijacking these services, the RAT can: Monitor and Record:

It can silently record calls, capture live screen video, and activate the camera or microphone without the user's knowledge. Harvest Data: It intercepts SMS messages to steal One-Time Passwords (OTPs)

, effectively bypassing two-factor authentication (2FA) for banking and cryptocurrency apps. Manipulate Interaction: Advanced versions like

can perform "automatic screen unlocks" and even block the user from uninstalling the app by crashing the settings page whenever they try. Real-World Impact: The Malaysian and Singaporean Campaigns

The lethality of this malware was put on full display during coordinated fraud campaigns in Southeast Asia. In 2024, researchers from

documented cases where victims in Malaysia lost their life savings within 20 minutes of installing a fake app. The attackers used phishing sites that mimicked local food brands and retail services, tricking users into downloading what they thought were harmless shopping tools. Defending the Digital Frontier

As Craxs RAT continues to evolve, defensive strategies must move beyond simple antivirus scans. Security experts at emphasize that the best defense is proactive prevention . This includes: Sticking to Official Stores:

Only downloading apps from the Google Play Store, which employs rigorous vetting. Scrutinizing Permissions:

Being extremely wary of any app that asks for "Accessibility" or "Device Admin" rights without a clear, logical reason. Vigilance Against Phishing:

Treating unsolicited links in SMS or emails with high skepticism. Conclusion

Craxs RAT represents a paradigm shift in mobile threats. It is no longer just "code"; it is a thriving underground industry that thrives on human psychology and technical loopholes. As our smartphones become more central to our financial and personal identities, understanding the invisible reach of tools like Craxs RAT is the first step in reclaiming our digital security. for this malware or learn how to audit your Android permissions to stay safe? CraxsRAT: Android Remote Access malware strikes in Malaysia 31 Jul 2024 —

Craxs RAT is an advanced Remote Access Trojan (RAT) primarily targeting Android devices. While sometimes marketed by its creator (EVLF) or on forums as a "professional-grade management tool", it is widely classified by cybersecurity experts at Group-IB and CYFIRMA as a sophisticated malware tool used for unauthorized surveillance and data theft. Key features of Craxs RAT include:

Craxs Rat, the master tool behind fake app scams ... - Group-IB

Title: Understanding Craxs Rat: Anatomy of a Modern Android Trojan

Introduction

In the evolving landscape of cybersecurity threats, the "Craxs Rat" (Remote Access Trojan) has emerged as a significant menace, particularly targeting the Android ecosystem. Known for its advanced capabilities and accessibility on underground forums, Craxs represents a shift in how threat actors compromise mobile devices. Unlike early-generation mobile malware that focused solely on stealing contacts or sending premium SMS messages, Craxs Rat provides attackers with near-total control over infected devices.

This write-up provides an informative overview of Craxs Rat, detailing its technical capabilities, infection vectors, and the risks it poses to users and organizations.

What is Craxs Rat?

Craxs Rat is a type of Android malware classified as a Remote Access Trojan. Its primary function is to allow a remote operator to control an infected device without the user's knowledge. It is often marketed on hacker forums and Telegram channels as a "Malware-as-a-Service" (MaaS) product, meaning individuals with little to no coding experience can purchase the software and use it to launch attacks.

It is considered a successor or a more advanced iteration of older Trojans like L3MON, incorporating improved evasion techniques and a wider array of malicious functionalities. Craxs RAT is a sophisticated and dangerous Remote

Technical Capabilities

Craxs Rat is notorious for its extensive feature set, which transforms the victim's phone into a surveillance tool. Key capabilities include:

1. Accessibility Service Abuse: Like many modern Android Trojans, Craxs exploits Android's Accessibility Services. This allows the malware to simulate screen touches, intercept keystrokes, and bypass security prompts. This permission effectively gives the malware "god mode" over the device.
2. Financial Theft: Craxs is frequently used to steal banking credentials. It can overlay fake screens on top of legitimate banking apps (a technique known as "phishing" or "vishing") to harvest usernames, passwords, and credit card details.
3. Data Exfiltration: The Trojan can steal sensitive data, including SMS messages (useful for intercepting 2FA codes), call logs, contact lists, and files stored on the device.
4. Surveillance: Craxs can record audio using the microphone, take photos with the cameras, and track the device's GPS location in real-time.
5. Notification Hijacking: A critical feature of Craxs is its ability to read and manage notifications. This allows the attacker to intercept OTPs (One-Time Passwords) sent via banking or social media apps before the user even sees them.
6. Persistence and Defense Evasion: The malware employs various techniques to remain undetected. It may hide its icon from the app drawer, request permissions to ignore battery optimization (to stop the system from killing the malicious process), and prevent users from uninstalling it by blocking security settings.

Infection Vectors

Craxs Rat typically spreads through methods that rely on social engineering rather than technical exploits of the operating system itself. Common distribution channels include:

• Fake Applications: Malicious APK files disguised as legitimate apps (e.g., browsers, file managers, games, or tools like Adobe Flash Player) are hosted on third-party websites or shared via messaging apps.
• Phishing Campaigns: Attackers send emails or SMS messages containing malicious links. These messages often impersonate government agencies, delivery services, or banks to trick the user into downloading the payload.
• Side-loading: Because Craxs is not typically found on the official Google Play Store, it relies on users disabling security settings to install apps from "Unknown Sources."

Indicators of Compromise (IoCs)

Users who suspect they may be infected should look for the following signs:

• Performance Issues: Sudden battery drain, overheating, or sluggish performance due to background malicious activity.
• Unusual Data Usage: Higher than normal data consumption as the Trojan uploads stolen data to the command-and-control (C2) server.
• App Behavior: Apps requesting Accessibility Services without a clear need (e.g., a flashlight app asking for permission to view and control the screen).
• Disabled Security: Finding that Google Play Protect has been disabled without user intervention.

Mitigation and Prevention

Protecting against Craxs Rat requires a combination of user awareness and technical hygiene:

1. Avoid Side-loading: Refrain from downloading APK files from untrusted third-party sources. Stick to the official Google Play Store, which employs Google Play Protect to scan for malware.
2. Scrutinize Permissions: Be highly suspicious of apps requesting Accessibility Services or permissions that do not match their function (e.g., a PDF reader requesting SMS permissions).
3. Keep Software Updated: Regularly updating the Android operating system and security patches helps mitigate known vulnerabilities that malware might exploit to gain persistence.
4. Antivirus Solutions: Install a reputable mobile security solution that can detect known variants of Craxs Rat.
5. Check Accessibility Settings: Periodically review the Accessibility section in Android settings to ensure no unknown apps have been granted access.

Conclusion

Craxs Rat exemplifies the increasing sophistication of mobile malware. By combining extensive surveillance capabilities with user-friendly administrative panels for attackers, it lowers the barrier to entry for cybercrime. As users rely more heavily on mobile devices for banking and personal communication, the threat posed by Trojans like Craxs underscores the vital importance of cybersecurity awareness and cautious digital behavior.

(Remote Access Trojan) is a sophisticated and dangerous piece of malware specifically designed to target Android devices

. It belongs to a class of surveillance tools that allow hackers to gain nearly complete control over a victim's smartphone remotely. Key Capabilities

Once a device is infected, Craxs RAT provides the attacker with extensive permissions, including: Real-Time Remote Access:

Controlling the device screen and manipulating apps in real-time. Data Harvesting:

Stealing sensitive information such as banking credentials, personal contacts, and SMS messages. Surveillance:

Secretly recording audio through the microphone, taking photos with the camera, and tracking geo-location. Persistence:

Implementing "stealth" mechanisms that allow the malware to survive device reboots and updates. Newer variants like

use advanced techniques to bypass authentication and escape detection by traditional security software. How It Spreads Attackers typically use phishing campaigns

to trick users into downloading the malware. This often involves: Fake Apps:

Disguising the RAT as legitimate software (e.g., WhatsApp, YouTube, or Google Photos) on third-party websites. Deceptive Emails:

Sending links or attachments that automatically download the malicious APK. How to Protect Yourself Security researchers, such as those from , recommend several steps to stay secure: Avoid Third-Party Apps: Only download applications from official sources like the Google Play Store Enable Google Play Protect:

Ensure this built-in Android security feature is active to scan for known malware. Check Permissions:

Be wary of apps asking for excessive permissions, such as access to "Accessibility Services" or "SMS," which are often exploited by RATs. Use Lockdown Mode: For Samsung or other modern Android devices, using Lockdown Mode

can help secure your phone against unauthorized access if it's physically compromised. G700 : The Next Generation of Craxs RAT - CYFIRMA

Craxs RAT (Remote Access Trojan) is a sophisticated malware tool primarily targeting Android devices

to give attackers complete remote control and surveillance capabilities. Originally developed by a threat actor known as

, it has evolved into a widely available "malware-as-a-service" sold on underground forums and Telegram channels. Key Features and Capabilities Threat reports: Cyble

Craxs RAT is noted for its extensive list of invasive features that allow it to bypass traditional security measures: Real-Time Remote Control:

Attackers can manipulate nearly every function on the device, including screen control and performing gestures. Data Harvesting:

It can steal banking credentials, personal contacts, SMS messages (including ), and call logs. Surveillance: The tool provides unauthorized access to the device's microphone and camera , allowing for live audio and video recording. Stealth and Persistence:

It uses anti-debugging tricks and "black-screen" techniques to hide malicious activity and survive device reboots. App Injection: Recent variants like

can inject malicious code into legitimate applications (e.g., banking or cryptocurrency apps) to deceive users. Distribution and Infection Methods The malware is typically spread through social engineering rather than automatic exploits: Phishing Campaigns:

Victims are often tricked via deceptive emails or pop-up ads into downloading fake apps that impersonate legitimate brands like online shops, food services, or utility tools. Malicious APKs:

It is frequently distributed as "cracked" or "modded" versions of popular games and apps through unofficial third-party websites. Fake Security Offers:

Some campaigns lure users by promising "free tracking" or "anti-scam" services that are actually the RAT itself. Protective Measures

To defend against Craxs RAT and similar mobile threats, security experts recommend these best practices: Official Sources Only: Download applications exclusively from the Google Play Store official Apple App Store , which have vetting procedures to filter out malware. Audit Permissions:

Be highly skeptical of apps requesting excessive permissions, particularly Accessibility Services , which the RAT uses to gain control. Use Mobile Security:

Maintain updated antivirus software on your device and ensure "Play Protect" is enabled to detect known signatures of the RAT. Verify Communications:

Treat unsolicited links or files in emails and messaging apps with high suspicion.

Craxs Rat, the master tool behind fake app scams ... - Group-IB

Fake apps built using Craxs Rat often require access to SMS, call logs, contacts, cameras, microphones, geo-location, and more. G700 : The Next Generation of Craxs RAT - cyfirma

The Legal Reality: Buying Craxs RAT is a Felony

It is critical to understand that possession, distribution, or use of Craxs RAT is illegal worldwide. Under the Computer Fraud and Abuse Act (CFAA) in the US, the Cybercrime Prevention Act in the Philippines, and similar laws in the EU, using a RAT without explicit written consent from the device owner constitutes unauthorized access.

Penalties range from 5 to 20 years in federal prison. Law enforcement agencies (FBI, Interpol, Europol) actively monitor the Telegram groups where Craxs RAT is sold. In December 2024, coordinated raids in Indonesia and Malaysia arrested several resellers of Craxs RAT, leading to sentences of 8 years.

Key Features of Craxs RAT (Why It Is So Dangerous)

What sets Craxs RAT apart from simpler malware like SpyNote or AhMyth is its sheer volume of invasive capabilities. Once installed, the RAT grants the attacker near-total control of the victim's device.

Outline for a Paper on Craxs RAT

Title:
Analysis of Craxs RAT: Delivery Mechanisms, Capabilities, and Mitigation Strategies

1. Introduction

• Background on Remote Access Trojans (RATs)
• Emergence of Craxs RAT (first observed ~2021, active in Middle East and Asia)
• Purpose: dissect its propagation, features, and defensive measures

2. Related Work

• Comparison with other Android RATs (SpyNote, AhMyth, Cerberus)
• Evolution of RAT-as-a-service models

3. Methodology

• Sample acquisition (from public repositories like VirusTotal, MalwareBazaar – note: handle ethically)
• Static analysis (decompilation with jadx, examining permissions, hardcoded strings)
• Dynamic analysis (sandbox execution, network traffic logging)

4. Delivery and Persistence

• Common vectors: disguised as legitimate apps (e.g., “System Update,” “Chat App”), sideloading via phishing links
• Persistence: uses Android Accessibility Services to prevent uninstallation, auto-launch on boot

5. Key Capabilities

• Remote Access – screen streaming, input injection
• Data Theft – contacts, SMS, call logs, files, clipboard, 2FA codes
• Surveillance – camera and microphone capture, location tracking
• Anti-detection – obfuscation, dynamic payload loading, anti-emulator checks
• Command & Control (C2) – encrypted communication (e.g., WebSockets, Firebase), dynamic DNS

6. Case Study / Real-World Campaign

• Example: CraxsRAT distributed via fake Telegram updates targeting specific regions (cite Trend Micro, Check Point reports)

7. Detection & Mitigation

• Signature-based (YARA rules)
• Behavioral (monitoring Accessibility Service abuse, excessive permissions)
• Network indicators (C2 domain patterns)
• User mitigations: disable sideloading, avoid granting accessibility to unknown apps

8. Conclusion

• Summary of threat level (high, due to ease of customization and evasion)
• Need for improved mobile threat defense and user awareness

9. References

• Threat reports: Cyble, Zimperium, ThreatFabric
• Academic papers on Android RAT analysis (search Google Scholar)

8. Location Tracking and Microphone Access

Real-time GPS tracking and the ability to record ambient audio via the device’s microphone, turning the phone into a covert listening device.