SURXRAT
SURXRAT is an actively developed Android remote access trojan (RAT) marketed as a malware-as-a-service offering under the “SURXRAT V5” branding and distributed through a Telegram-based ecosystem. Reporting cited in the content assesses it as likely operated by an Indonesian threat actor and indicates it likely evolved from the ArsinkRAT malware family, supported by code overlap and use of an "arsinkRAT" database reference. Researchers identified more than 180 related samples, with the Telegram marketing channel created in late 2024 and active development likely beginning in early 2025.
SURXRAT abuses Android Accessibility Services for persistent control and automation, and communicates with Firebase Realtime Database command-and-control infrastructure, including xrat-sisuriya-default-rtdb.firebaseio.com, which helps its traffic blend with legitimate cloud services. It registers infected devices using a random UUID and maintains a persistent background service.
Its capabilities include extensive surveillance, data theft, and remote device control. Reported collection includes contacts, SMS messages, call logs, Gmail account data, browser history, clipboard contents, location data, notifications, Wi-Fi history, cellular tower information, installed applications, files, device brand and model, Android version, battery status, SIM details, network information, and public IP address. Remote actions include recording audio, taking camera photos, sending SMS messages, placing phone calls, opening URLs, changing wallpapers, controlling the flashlight, vibrating the device, displaying toast or text-to-speech messages, unlocking devices, deleting files, uploading files, and wiping storage.
SURXRAT also includes a ransomware-style screen locker that can display a persistent full-screen lock message, enforce an attacker-defined PIN, report incorrect PIN attempts to the backend in real time, and be remotely removed by the attacker. The malware has been described as targeting Android devices broadly, with broader reporting placing it among threats actively targeting Brazilian PIX payment infrastructure.
A notable recent behavior is conditional download of a very large LLM module, reported as larger than 23 GB, from Hugging Face or other third-party repositories. This download is triggered when specific gaming apps are active, including Free Fire MAX x JUJUTSU KAISEN and Free Fire x JUJUTSU KAISEN, or when target package names are supplied remotely by the operator. The content states these AI modules can automate malicious tasks, including generating realistic phishing content, tailoring social-engineering prompts, and autonomously interacting with on-device apps and user interfaces to steal credentials or other sensitive data. Researchers also assessed the LLM-related behavior may be intended for device or network lag manipulation, masking malicious activity through degraded performance, evasion, future AI-assisted functionality, or alternative monetization.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniques
Execution
Credential Access
2 techniques
Credential Access
Collection
1 technique
Collection
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An Android RAT mentioned as active in Brazil and described as LLM-equipped and associated with ransomware activity targeting PIX payment infrastructure.
Android RAT sold via a Telegram MaaS ecosystem; abuses accessibility for persistent device control and uses Firebase-based C2; some samples include an on-demand LLM module and a ransomware-style screen locker for device lockout/extortion.
Android remote-access trojan that can fetch and execute LLM modules to automate malicious activity, including generating realistic phishing content, tailoring social-engineering prompts, autonomously interacting with on-device apps/UI, and exfiltrating credentials or sensitive data; emphasizes increased automation, evasion, and persistence.
Android remote access trojan sold via a Telegram MaaS ecosystem. Provides extensive surveillance (SMS, contacts, call logs, location, notifications, clipboard, browser history, files), remote device control (calls, SMS send, camera, audio recording, URL opening, wallpaper changes, vibration/flashlight, unlock/lock, wipe), and uses Firebase Realtime Database for C2. Latest variants conditionally download a very large LLM module (>23GB) from Hugging Face—apparently to induce lag/performance degradation (notably during specific games) and potentially enable future AI-assisted capabilities. Includes a ransomware-style screen locker for extortion/denial of access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.