EVLF
EVLF is an online threat actor alias, also identified as @craxso, linked in the provided reporting to Android malware development and commercialization. The content associates EVLF with BTMOB, an Android remote access trojan active since at least February 2025 and assessed as an evolution of the CraxsRAT, CypherRAT, and SpySolr families. Kaspersky assessed those malware families as linked to a Syrian threat actor using the alias EVLF. EVLF was reported to advertise BTMOB as a malware-as-a-service offering, including subscription access priced at $700 per month, a lifetime license for $1,200, and complete server source code for $7,000. BTMOB is described as spreading via social engineering through fake websites and counterfeit Google Play pages, requesting accessibility-service permissions, and enabling credential theft, remote control, screenshot capture, keystroke logging, device unlocking, HTML-injection-based theft, and capture of Alipay PINs in later versions. The content also notes leaked BTMOB tooling and source code circulating online, including payload source, builder, operator panel, C2 backend, and deployment dependencies, lowering the barrier to entry for other cybercriminals. Known aliases in the provided content are EVLF and @craxso.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Banks
- Financial Services
Where they target
Geographies tied to known operations.
- 🇧🇷 Brazil
Tradecraft
7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
5 malware families attributed to this actor across reporting.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Advertises and sells the BTMOB Android RAT under a malware-as-a-service model, including subscriptions, lifetime licenses, and full server source code.
Syrian-linked threat actor associated (via tooling lineage) with Android RAT families (CraxsRAT/CypherRAT/SpySolr) and the BTMOB RAT evolution used for persistent remote control and surveillance of Android devices; indirectly relevant here because BeatBanker campaigns have been observed dropping BTMOB as a payload.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.