SURXRAT

SURXRAT is an actively developed Android remote access trojan (RAT) commercially distributed as a malware-as-a-service (MaaS) offering through a Telegram-based ecosystem under the “SURXRAT V5” branding. It is sold using reseller and partner licensing tiers that enable affiliates to generate and distribute customized builds, while the operator retains centralized infrastructure and operational control. Reporting cited in the content indicates the Telegram channel used to market SURXRAT was created in late 2024, with active development likely beginning in early 2025, and more than 180 related samples identified. SURXRAT provides broad surveillance, data theft, and real-time remote command execution capabilities against Android devices. It prompts victims to grant high-risk permissions including location, contacts, SMS, and storage access, and abuses Android Accessibility Services to increase persistence and attacker control. It communicates with a Firebase Realtime Database command-and-control backend and registers infected devices using a random UUID. Reported collection capabilities include contacts, SMS messages, call logs, device brand and model, Android OS version, battery status, SIM details, network information, public IP address, browser activity and history, notifications, clipboard contents, Wi-Fi history, and cellular tower intelligence. Supported remote actions include taking photos, recording audio, sending SMS, making calls, opening URLs, changing wallpapers, controlling flashlight and vibration, displaying overlays and toasts, deleting and uploading files, unlocking and locking the device, and wiping storage. SURXRAT also includes a ransomware-style screen locker that can deny device access and demand payment; the attacker can remotely customize the lock message and unlock PIN, and incorrect PIN attempts are reported back to the backend. The malware uses persistence and control mechanisms including BOOT_COMPLETED broadcast receiver persistence, foreground services, notification access, and exfiltration over command-and-control. It also contains a mechanism intended to manipulate network lag. A notable behavior described in the content is conditional downloading of a very large LLM module hosted on Hugging Face, larger than 23GB, triggered when specific gaming apps are active or when package names are supplied by the attacker-controlled backend. Code references and functional overlap in the reporting suggest SURXRAT evolved from the ArsinkRAT malware family. A Firebase database reference labeled “arsinkRAT” is specifically noted. ArsinkRAT is the only directly mentioned related family or precursor in the content.