clayrat_operators

Also known asClayRat operators

The ClayRat operators are a threat actor group responsible for distributing the ClayRat Android spyware family. Their campaigns have primarily targeted Russian users via counterfeit Telegram channels and phishing sites impersonating popular apps such as WhatsApp, TikTok, and YouTube. The group employs a range of social engineering and technical tactics, including phishing, malicious QR codes, app impersonation, and exploitation of device and application vulnerabilities (notably CVE-2025-43300, CVE-2025-55177, and CVE-2025-21042). Their operations are part of a broader trend of state-backed and mercenary actors leveraging commercial spyware and remote access trojans (RATs) to compromise high-value individuals, including government, military, and political officials, as well as civil society organizations, across the US, Middle East, and Europe. The ClayRat operators are associated with campaigns that bypass encrypted messaging protections by exploiting app features and device vulnerabilities rather than breaking encryption itself. There is no direct attribution to a specific nation-state, but their activities align with those of sophisticated, targeted cyber-espionage groups.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

Nov 25, 2025

CISA warns spyware crews are breaking into Signal and WhatsApp accounts

ClayRat operators distribute Android spyware via counterfeit Telegram channels and phishing sites, targeting users in Russia.

the hacker newsNews

Nov 25, 2025

CISA Warns of Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users

ClayRat operators target Russian users via Telegram channels and phishing pages, impersonating popular apps to distribute spyware and steal sensitive data.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.