CraxsRAT

CraxsRAT is an Android remote access trojan (RAT) used for device compromise, surveillance, credential theft, and financial fraud. The provided content describes it as a highly sophisticated Android RAT associated with bypassing 2FA and hijacking mobile banking sessions, and as part of an Android malware ecosystem that later evolved into BTMOB. Multiple sources in the content assess BTMOB as a successor or evolution of the CraxsRAT, CypherRAT, and SpySolr families.

Observed delivery in the content includes fake app updates and social engineering. Google Threat Intelligence reporting cited in the content states UNC5114 delivered a variant of CraxsRAT by masquerading it as an update for Kropyva, a combat control system used in Ukraine. Other references note CraxsRAT being distributed via fake updates, and malware bundles combining CraxsRAT with NFCGate emerging by February 2025. The content also states that EagleSpy V6.0 appears to be a rebranded version of CraxsRAT and that this rebranded malware was sold via Odysee and Telegram.

Capabilities attributed in the content include remote administration and banking-focused abuse. The EagleSpy/CraxsRAT-linked analysis describes banking phishing overlays, theft of cryptocurrency wallet credentials, Telegram bot exfiltration, remote shell execution, keylogging, camera and microphone access, GPS tracking, ransomware components, DEX packers for antivirus evasion, and hidden update/backdoor mechanisms. The content also references CraxsRAT in the context of bypassing 2FA and hijacking banking sessions. Separately, the content notes estimated large-scale infections in Russia where compromised devices had both NFCGate and CraxsRAT installed.

The malware is linked in the content to actors and ecosystems associated with Android MaaS/RAT activity. Kaspersky/ESET reporting summarized in the content ties the broader CraxsRAT lineage to the Syrian threat actor alias EVLF/@craxso through its evolution into BTMOB. In state-linked operations, the content specifically associates delivery of CraxsRAT with UNC5114 targeting Ukrainian military users through a fake Kropyva update.

High-confidence targeting reflected in the content includes Android users involved in banking fraud scenarios, victims of fake updates, and Ukrainian military or defense-related users through Kropyva-themed lures. Related indicators and contextual artifacts mentioned in the content include the Odysee channel https://odysee.com/@justicerat:e and Telegram account @JustIcedevs used to market EagleSpy V6.0, which was assessed as a rebrand of CraxsRAT.