👇️Download here:👇️

Executive Summary: The Rise of the Hyper-Evasive RAT

The threat landscape of Android malware is becoming increasingly sophisticated, moving beyond simple adware to deploy full-spectrum Remote Access Trojans (RATs). CraxsRAT, also widely known as G700 RAT, exemplifies this evolution.

CraxsRAT is a highly versatile and deeply intrusive backdoor designed to grant threat actors complete, granular control over an infected Android device. It is not a static piece of malware; rather, it is a constantly refined
weapon.

The roots of this threat trace back to the Spymax RAT (SpyNote), a potent tool whose source code was leaked in 2020. EVLF, the likely developer group, leveraged this foundational code to build CraxsRAT, dramatically enhancing its
features, stealth capabilities, and geographical targeting. The most recent variants, such as v7.5 released in April 2024, demonstrate a commitment to continuous improvement, making detection significantly harder.

Geographic Targeting and Infection Vectors

While CraxsRAT has a global reach, recent analysis highlights a significant, highly focused campaign targeting Southeast Asia, particularly Singapore. This localized attack demonstrates the threat actor’s capability for tailored,
high-impact operations.

The Singapore Campaign Focus

Beginning around April 2023, CraxsRAT leveraged local context to maximize its success rate. Attackers did not simply distribute generic malware; they impersonated brands and services highly relevant to the local user base.

• Impersonated Brands: Fake shopping platforms and e-commerce sites.
• Service Impersonation: Anti-scam centers and local food delivery applications (e.g., Grab & Go).
• Local Retailers: Targeting specific establishments like 1st Mall and SG-Furniture.

Distribution Methods

The delivery mechanism is multifaceted, ensuring wide reach across various user demographics:

• Phishing Links: Embedded in seemingly legitimate emails or SMS messages (Smishing).
• Malicious APKs: Distributed directly as “updates” or “downloads” that users sideload onto their devices.
• Fake Advertisements: Utilizing social media platforms, especially Telegram, where users are drawn in by attractive, fraudulent offers.

Technical Analysis: What CraxsRAT Can Do

The true danger of CraxsRAT lies in its comprehensive feature set. It operates as a powerful C2 (Command & Control) agent, allowing the operator to treat the victim’s Android device as a remote terminal.

Core Device Control Capabilities

The malware grants the threat actor:

• Complete Remote Access: Full backdoor control over the operating system.
• File System Manipulation: Browsing, downloading, and uploading sensitive documents, photos, and backups.
• Screen Recording: Capturing real-time video of the user’s entire device activity.
• Real-Time Monitoring: Tracking GPS location and continuous activity logging.

Exploited Permissions & Intrusions

To achieve this level of control, CraxsRAT aggressively exploits key Android permissions:

• SMS & Calls: Reading incoming/outgoing texts and logging/recording phone calls.
• Contacts: Harvesting the victim’s entire address book for lateral movement and targeted attacks.
• Camera/Mic: Activating the hardware remotely for surveillance (e.g., listening in on private conversations).
• GPS: Continuous background location tracking.
• Accessibility Services: Crucial for performing overlay attacks and simulating user interaction (essential for banking credential theft).

Stealth and Infrastructure

CraxsRAT is engineered for evasion:

• Obfuscation: Extensive use of Base64 encoding to hide the C2 server details and API calls, making static analysis challenging.
• Multilingual Support: Includes support for English, Arabic, Turkish, and Simplified Chinese, indicating a highly diversified global targeting strategy.
• C2 Infrastructure: Servers are typically hosted on Windows Server 2019, often configured with Chinese language settings, a subtle indicator that points back to the threat actor’s operational base.

Symptoms of Infection: How to Identify CraxsRAT

If you or your organization suspects an infection, look for these tell-tale signs:

• Performance Degradation: Noticeable slowdown in app loading, lag, or general system sluggishness.
• Battery Drain: Unexplained and rapid battery depletion, as the RAT runs constant background processes.
• Unexpected Activity: Random pop-ups, or the appearance of new, unknown apps on the home screen.
• Hardware Activation: The camera or microphone seems to activate spontaneously, even when the phone is idle.
• High Data Usage: Excessive internet consumption in the background, indicating continuous data exfiltration to the C2 server.

Protection and Removal Strategies

Mitigation requires a layered approach, tailored to whether you are an individual user or an enterprise managing a fleet of devices.

For Individuals: Defensive Measures

• Source Verification: Only download applications directly from the official Google Play Store. Be highly skeptical of APKs received via email or third-party sites (avoid sideloading unless necessary).
• Permission Scrutiny: Before installing, review requested app permissions. If a simple calculator app asks for SMS and Camera access, be wary. Pay close attention to the “Accessibility Services” toggle.
• Isolation Protocol: Whenever possible, use a separate, clean device for sensitive banking and financial transactions.
• Security Hygiene: Enable Two-Factor Authentication (2FA) across all critical accounts and ensure transaction alerts are active.

For Organizations: Enterprise Defense

• Deployment: Mandate the use of Mobile Threat Defense (MTD) solutions to proactively scan for known RAT signatures and behavioral anomalies.
• Management: Implement Mobile Device Management (MDM) to enforce policies, restrict app installations, and monitor device health centrally.
• Training: Conduct regular, targeted employee education focusing specifically on phishing attacks and the local brand impersonation tactics currently employed (e.g., fake Grab & Go ads).

Removal Instructions

If an infection is confirmed, follow these steps:

1. Isolate: Disconnect the device from Wi-Fi and cellular data to prevent further data exfiltration.
2. Safe Mode: Boot the device into Safe Mode to prevent the malicious app from running its full processes.
3. Identification: Identify the malicious application, often via the Settings > Battery Usage menu.
4. Removal: Uninstall the identified app. If the RAT persists, use an antivirus scanner.
5. Last Resort: Perform a factory reset. This is the most definitive way to ensure removal, though data backup must be done carefully (ensure the backup itself is clean).

Conclusion: Vigilance is the Ultimate Defense

CraxsRAT, in its latest iterations like v7.5, is far more than just a piece of spyware; it is a highly sophisticated, adaptive surveillance platform capable of delivering catastrophic data theft and financial loss. Its strategic
targeting of high-value regions like Southeast Asia demonstrates a mature, organized threat actor.

The threat is not static. As EVLF continues to evolve the codebase, users must remain vigilant, update their operating systems immediately, and adopt robust defense mechanisms. Do not wait for the alert—assume you are being
watched.

Frequently Asked Questions (FAQ)

Can CraxsRAT steal banking credentials?

Yes, absolutely. CraxsRAT utilizes several advanced techniques to steal credentials. It performs keylogging (capturing every keystroke), and more critically, it uses Accessibility Services to perform “overlay attacks.” This means
it can draw a fake, transparent login window *over* the legitimate banking app, capturing the PIN or password even if the victim is typing it correctly.

Does factory reset remove CraxsRAT?

Yes, a complete factory reset will wipe the device and remove the CraxsRAT application and its core files. However, you must be cautious during the data restoration phase. If you restore data from a cloud backup or local storage
that was infected while CraxsRAT was running, the malware could be reinfected. Always scan your backups before restoring them.