Syrian Hacker EVLF Linked to CypherRAT and CraxsRAT Android Trojans

A Syrian cybercriminal known as EVLF has been identified as the developer behind the CypherRAT and CraxsRAT malware families, which target Android users. According to a recent report by Cyfirma, both CypherRAT and CraxsRAT are trojans that grant remote access to a victim’s mobile device.

“Among other things, these malicious programs allow attackers to control the smartphone’s camera, track the user’s location, and eavesdrop using the microphone,” experts explain.

Malware-as-a-Service Model

The creator of CypherRAT and CraxsRAT offers these trojans to other cybercriminals through a malware-as-a-service (MaaS) model. Researchers estimate that around one hundred criminals have purchased a lifetime license to use these trojans over the past three years.

EVLF, identified as the mastermind behind these trojans, operates an online store where both pieces of malware have been available for purchase since September 2022.

Features and Customization

CraxsRAT, for example, is designed so that operators can control infected mobile devices from a Windows computer. The author continually updates the trojan based on customer feedback. A special builder tool allows buyers to customize and obfuscate the payload, choose the app icon, name, and functionality, and even specify which permissions the malware will request from the operating system.

Cyfirma specialists have named CraxsRAT one of the most dangerous remote access trojans. It includes a “Super Mod” feature that makes it extremely difficult to remove the malicious software from a device.

EVLF’s Online Presence and Recent Activity

EVLF is also known for running the Telegram channel “EvLF Devz,” which was created on February 17, 2022. At the time of writing, the channel had 10,678 subscribers. However, today EVLF posted a message announcing the end of their activities.