: A sophisticated clipboard monitor that detects when a user copies a cryptocurrency wallet address and automatically replaces it with the attacker’s address. 2FA Interception

and CraxsRAT are prominent Android malware families created by a Syrian threat actor known as EVLF DEV . Operating as a Malware-as-a-Service (MaaS) provider, EVLF has sold these tools to over 100 cybercriminals, often via a surface web store. Key Features and Capabilities

: The EVLF variant employs advanced techniques to evade detection. It can bypass traditional security measures by encrypting its traffic and files, making it difficult for signature-based detection systems to identify it as malicious.

A defense mechanism that prevents uninstallation by crashing the settings page whenever a user attempts to remove the app.

For more technical indicators, you can view the online file analysis for Cypher RAT on Hybrid Analysis.

EVLF’s operation is characterized by its high user engagement and exclusive distribution.

Exclusive ((full)): Cypher Rat Evlf

: A sophisticated clipboard monitor that detects when a user copies a cryptocurrency wallet address and automatically replaces it with the attacker’s address. 2FA Interception

A defense mechanism that prevents uninstallation by crashing the settings page whenever a user attempts to remove the app. Key Features and Capabilities : The EVLF variant

For more technical indicators, you can view the online file analysis for Cypher RAT on Hybrid Analysis.

EVLF’s operation is characterized by its high user engagement and exclusive distribution.

Submitted. Thanks!

Exclusive ((full)): Cypher Rat Evlf