Cypher RAT, also recognized in cybersecurity circles as a variant of the SpyNote family (sometimes referred to as SpyMax or SpyNote RAT), is a classic example of an all-purpose Android RAT. It allowed attackers to perform a dizzying array of actions: management of the file system (download, upload, copy, paste, rename, edit, delete, etc.), modification of device settings, logging of keystrokes in both online and offline mode, and comprehensive theft of call logs, SMS messages, and contact lists.
The malware can intercept Two-Factor Authentication (2FA) codes and harvest login credentials for platforms like Gmail and Facebook.
References for analysis
Cypher RAT is designed to bridge the gap between a Windows-based attacker and an Android-based victim, offering a comprehensive suite of "exclusive" monitoring and control features.
If you want, I can:
Like its predecessors, Cypher RAT EVLF offers comprehensive remote access functionalities. This allows attackers to control the victim's device remotely, execute commands, transfer files, and even manipulate the system's processes.
The developer, , has been active for nearly a decade and has reportedly earned over $75,000 from selling these tools to various cybercriminals. While EVLF initially focused on Cypher RAT, the actor's more recent and "amplified" tool, Craxs RAT , has become the flagship product, often sold as "exclusive" versions (like v7.5) via private Telegram channels. cypher rat evlf exclusive
: Rather than asking for all permissions at once (which triggers alerts), this feature waits for the user to open a legitimate app (like a banking or social media app) and then overlays a fake "System Update" or "Security Requirement" prompt to trick them into granting accessibility services. Fake Update Notification
Cypher RAT (Cypher/EVLF) — Overview Cypher is a modular remote access trojan (RAT) observed targeting Windows systems. It provides attackers with persistent, stealthy remote control and a wide range of post-compromise capabilities, including command execution, file transfer, keylogging, screen capture, credential theft, and remote shell access. Operators typically deploy Cypher via social engineering, malicious documents (macro-enabled Office files), or bundled installers that exploit user trust and delivery chains. Cypher RAT, also recognized in cybersecurity circles as
For years, a shadowy figure using the online pseudonym (also known as "EVLF DEV") operated from Syria, building and selling some of the most potent Android Remote Access Trojans (RATs) seen in recent years. Operating for over eight years, EVLF remained largely anonymous, selling his malicious software to a global network of cybercriminals.