Craxs Rat High Quality 💫

The malware can inject fake login screens (overlays) on top of legitimate apps like Gmail, WhatsApp, banking apps, or even crypto exchanges. When the victim enters their credentials, they are sent directly to the attacker.

[SpyMax RAT] ---> [Craxs RAT v6/v7] ---> [G700 Generation] (Basic Spyware) (Accessibility Abuse) (Silent Smali Code Injection) The Shift to the G700 Generation

Craxs Rat, the master tool behind fake app scams ... - Group-IB craxs rat

: Once installed, the malware uses Accessibility Services to grant itself extensive permissions automatically. It also employs anti-deletion mechanisms, such as closing the "Uninstall" or "Device Admin" screens if a user tries to access them.

Craxs RAT is a commercialized malware-as-a-service (MaaS) tool sold on dark web forums and underground Telegram channels. It provides cybercriminals with a graphical user interface (GUI) builder to generate weaponized Android Application Packages (APKs). Once installed on a target device, it establishes a reverse shell connection back to the attacker’s command-and-control (C2) server. The malware can inject fake login screens (overlays)

Treat unsolicited links or files in emails and messaging apps with high suspicion.

Craxs Rat, the master tool behind fake app scams ... - Group-IB - Group-IB : Once installed, the malware uses

In 2020, the source code for Spymax RAT (a variant of the older SpyNote malware) leaked online. EVLF used this leaked code as a foundation, completely rebuilding and optimizing it to evade modern mobile security. Commercialization via Telegram

Developed by a prominent threat actor known as "EVLF DEV," this malware evolved directly from the leaked source codes of the notorious SpyNote and Spymax RAT families. Sold widely across dark web channels and Telegram groups, Craxs RAT gives cybercriminals unprecedented, real-time administrative access to infected smartphones, leading to extensive data leaks, identity theft, and severe financial losses.

Originally developed by a threat actor known as "EVLF" from the foundation of the leaked Spymax RAT source code, Craxs RAT has evolved into a commercialized malware-as-a-service (MaaS) tool. It is widely distributed across hacker forums and Telegram channels. This remote administration tool bypasses traditional mobile defenses to grant attackers complete operational control over a victim’s smartphone, leading to extensive financial fraud and data exfiltration campaigns globally.