Since then, Craxs RAT has seen continuous development. Versions have evolved from v5.x through v7.x, with reports of variants like G700 and rebrands like EagleSpy appearing by late 2024 and into 2025-2026, proving its enduring and evolving threat. At one point, the malware was brazenly advertised for a on surface web marketplaces like Product Hunt, claiming support for Android 15 and iOS 18.
The "Super Mod" feature is particularly insidious: whenever the victim attempts to uninstall the application, the feature deliberately crashes the uninstallation page, effectively blocking removal.
Disguising the RAT as legitimate software (e.g., WhatsApp, YouTube, or Google Photos) on third-party websites. Deceptive Emails: craxs rat
The story of Craxs RAT begins in 2020 with the leak of the source code for (also known as SpyNote). A Syrian-based developer operating under the online alias "EVLF DEV" seized this opportunity. EVLF took the leaked code and began extensive modifications, eventually creating Craxs RAT and selling it as a premium product. The threat actor behind CraxsRAT is believed to have generated more than $75,000 from distributing this malware as a service. EVLF actively maintained a Telegram channel created in February 2022 for marketing and support, which grew to over 10,000 users. According to EVLF's own announcements in August 2023, the developer announced a pause on the project due to "life pressures," but by that time, the damage was already done and the code had been widely disseminated.
Can disable Google Play Protect and intercept One-Time Passwords (OTPs), effectively bypassing Two-Factor Authentication (2FA) for bank accounts or crypto wallets. How It Operates Since then, Craxs RAT has seen continuous development
Craxs Rat, the master tool behind fake app scams ... - Group-IB
Capture live screens, manipulate gestures, and execute remote commands in real-time. The "Super Mod" feature is particularly insidious: whenever
Developed initially by a threat actor known as (reportedly operating out of Syria), Craxs RAT evolved from leaked source code of previous mobile trojans like Spymax and SpyNote. Over the years, it has become the weapon of choice for cybercriminals globally due to its advanced evasion techniques, custom construction kit (Builder), and profound abuse of Android's system permissions. The Genesis and Evolution of Craxs RAT
Craxs RAT is often marketed on underground hacking forums as a “commercial” malware product. Its features typically include:
Craxs RAT is typically spread through: