Technical Overview: CypherRAT and the EVLF Developer is a potent Android Remote Access Trojan (RAT) developed by a Syria-based threat actor known as
operated an online store on the surface web, selling lifetime licenses for these tools to over 100 different threat actors. Core Malicious Capabilities Cypher Rat Evlf
: The report identified EVLF DEV through crypto-transaction tracking and analysis of their online presence, including a Telegram channel ("EvLF Devz") and a web shop for lifetime licenses. Technical Overview: CypherRAT and the EVLF Developer is
Attackers can customize the app's icon and name to masquerade as legitimate software (e.g., system updates, WhatsApp, or browser apps). Developer and Market Activity EVLF DEV-The Creator of CypherRAT and CraxsRAT - cyfirma Cryptography : A “cipher” is an algorithm for
The malware utilizes a "builder" tool that allows attackers to customize and obfuscate the malicious package before deployment. EVLF DEV-The Creator of CypherRAT and CraxsRAT - cyfirma
designed to replace cryptocurrency wallet addresses with those belonging to the attacker. Credential Harvesting
