ClayRat

ClayRat is an Android spyware / remote access trojan (RAT) family used for covert surveillance and remote control of infected devices. It was first publicly identified in October 2025 and was primarily observed targeting Android users in Russia, though later reporting described broader spread. Distribution relied on phishing sites and counterfeit apps impersonating popular services and apps including WhatsApp, TikTok, YouTube, Google Photos, Telegram, and Russian taxi and parking apps; Telegram channels were also used to seed malicious APKs. Some samples acted as droppers, displaying a fake Google Play Store update screen while decrypting and installing a hidden payload from the app assets to bypass newer Android sideloading restrictions.

Documented capabilities include interception of SMS messages, call logs, notifications, and contacts; collection of device information and installed app lists; taking photos with the device camera; screen capture and screen recording; keylogging / recording keystrokes; placing calls; sending SMS, including mass SMS to contacts; harvesting lock-screen credentials such as PINs, passwords, and patterns; and executing commands from a remote command-and-control server over WebSocket. Newer variants abused Android Accessibility Services and default SMS privileges to automate screen interaction, unlock devices, disable Google Play Protect, display fake overlays such as system update screens, create fake interactive notifications to steal user responses, and block uninstallation or device shutdown. Reporting described these upgrades as enabling near full device takeover.

Analysis of exposed ClayRat backend infrastructure showed an unobfuscated Go 1.24 web panel used for device management and APK generation. The panel stored configuration and user data in JSON files, including plaintext credentials and operational tokens, and supported functions such as device telemetry, SMS parsing, screenshot capture, screen viewing, camera access, call initiation, Telegram/SMS relay, and malicious APK building. The APK template contained constants referencing clay.kpmail[.]su, including ws://clay.kpmail[.]su/ws/android and http://clay.kpmail[.]su/, and a telemetry endpoint http://error[.]clayhusas[.]sbs:5654/error. Reporting also noted overlap or reuse involving the kpmail[.]su domain family and DCRAT indicators.

Zimperium reported rapid growth, identifying more than 600-700 unique ClayRat samples and roughly 50 droppers over a short period, with over 25 phishing domains used in distribution. ClayRat has also been referenced in reporting on mobile spyware threats affecting messaging-app users and in Telegram-based cybercrime ecosystems linked to CrackRat Zone Clay and RasCorp Group. By December 2025, researchers reported that all known ClayRat command-and-control servers were offline. Open-source reporting linked the apparent collapse or abandonment of the operation to poor operational security and to the detention in Krasnodar of a student suspected of developing and marketing the malware via Telegram.