is a powerful Remote Access Trojan (RAT) designed for Android devices, developed and sold by a threat actor known as EVLF DEV (or simply EVLF ).
EVLF DEV is a cybercriminal developer traced by cybersecurity researchers to Syria.
In August 2023, the cybersecurity company released a detailed report claiming to have uncovered the true identity of the developer responsible for the CypherRAT and CraxsRAT Remote Access Trojans (RATs). Operating under the online handle "EVLF DEV" out of Syria for over eight years, the individual was identified as a man who had been running a Malware-as-a-Service (MaaS) operation. By following a trail of cryptocurrency transactions, Cyfirma was able to not only identify the developer's real name but also gather a range of personal information, including his usernames, IP addresses, and email address.
The "Evlf" variant is particularly notorious for its integration with automated exploitation kits. It functions as a Remote Access Trojan (RAT), allowing an attacker to take complete control of a victim's smartphone. Unlike basic malware that might only steal contact lists, Cypher Rat Evlf is designed for total surveillance and financial theft. It can intercept SMS messages, which is a critical feature for bypassing two-factor authentication (2FA) codes sent by banks. Cypher Rat Evlf
Craxs Rat, the master tool behind fake app scams ... - Group-IB
The software possesses deep read-and-write permissions for the local operating system. Cybercriminals use it to systematically download call histories, contacts list directories, stored SMS messages, and internal or external storage files (like private photos and documents). 4. Stealth Deployment & Obfuscation
The motif scales across forms:
Often confused or closely linked with its sibling, (another EVLF creation), Cypher RAT represents a sophisticated Android surveillance tool designed to gain near-total control over targeted devices. This article explores the origins of Cypher RAT, its advanced capabilities, the threat actor behind it, and how to defend against it. What is Cypher RAT (EVLF)?
EVLF DEV offered CypherRAT as a commercial product with various subscription tiers: EVLF DEV-The Creator of CypherRAT and CraxsRAT - cyfirma
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later. is a powerful Remote Access Trojan (RAT) designed
"unfortunately this is the end , due to life circumstances i will stop developing and posting" "for my customers don't worry , i will not let you and go , i will release couple of patch's for you before i go."
: In August 2023, threat intelligence teams tracked EVLF's financial transactions to a cryptocurrency wallet, forcing the platform provider to freeze the assets. While attempting to resolve the freeze on public crypto forums, EVLF accidentally leaked personal operational data, including a real name, active IP addresses, and linked email accounts. Shortly after this public exposure, EVLF announced a retirement from the project. Technical Architecture & Core Features of CypherRAT