: Run reputable mobile security software to scan for known signatures. If you'd like to dive deeper into the technical side: Detection signatures for your security tools. Removal steps for an infected device. Comparison between CypherRat and its successor, CraxsRat.
: In late 2023, EVLF announced they were "hanging up the boots" on the project following public disclosure and the freezing of their cryptocurrency assets. Core Features and Capabilities
The primary allure of the Cypher RAT, like many modern malicious tools, lies in its accessibility. Historically, deploying a RAT required a degree of technical proficiency in coding, networking, and system architecture. However, tools released by developers like evlf are often marketed with user-friendly interfaces—graphical dashboards that lower the barrier to entry significantly. This "commodification" transforms cybercrime from a specialized skill set into a purchasable product. The "Cypher" moniker suggests a focus on encryption, implying that the malware prioritizes the obfuscation of command-and-control (C2) traffic. This is a critical feature for modern attackers, as it allows malicious data streams to blend in with legitimate HTTPS traffic, making detection by firewalls and intrusion detection systems exponentially more difficult. cypher rat by evlf
: Keep Android OS and security patches current.
: Can be hidden inside legitimate-looking APKs (games, utilities). : Run reputable mobile security software to scan
: Designed to evade Play Protect and battery optimizations.
If you’ve encountered Cypher Rat as a victim or in your organization, contact a cybersecurity incident response team or law enforcement immediately. Comparison between CypherRat and its successor, CraxsRat
(Remote Access Trojan) is a sophisticated Android-based malware developed by the Syrian threat actor known as EVLF DEV . Operating as a Malware-as-a-Service (MaaS) product, Cypher RAT and its successor, Craxs RAT , have been utilized by over 100 distinct threat actors globally to gain total remote control over mobile devices. The Developer: EVLF DEV
: Intercepts 2FA codes and banking credentials via screen recording.
: Sold lifetime licenses for approximately $400 , alongside subscription tiers starting at $100 per month .
: Live screen control and camera access (front and back).