Android RAT Campaigns Use CraxsRAT, Klopatra, and SpyNote to Hijack Devices
Multiple Android malware operations have been documented using remote access trojans to seize control of victims’ phones, steal sensitive data, and support financial fraud. Reporting on CraxsRAT describes a malware family built to give operators broad device access, while separate research identified Klopatra, an Android RAT disguised as the IPTV and VPN app “Modpro IP TV + VPN,” infecting more than 3,000 devices in Europe and enabling hidden remote control through a black-screen VNC feature. Klopatra also supports banking overlay attacks, gesture simulation, clipboard theft, keystroke capture, and screen monitoring, allowing attackers to conduct credential theft and fraudulent transactions while the device appears inactive.
A third investigation found attackers targeting high-value individuals in South Asia with Android malware built on SpyNote, delivered through WhatsApp under multiple app names and tied to shared command-and-control infrastructure. That malware was designed to hide itself after installation and collect location data, contacts, SMS messages, call records, device information, files, screenshots, and keystrokes, particularly when accessibility permissions were granted. Across the reported cases, the malware showed strong evasion and persistence features, including obfuscation, anti-debugging, emulator detection, and attempts to disable security tools, underscoring how modern Android RATs are being adapted for espionage, credential theft, and banking abuse.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Researchers identify Klopatra Android RAT campaign in Europe
Researchers identified a new Android remote access trojan called Klopatra targeting users in Europe, disguised as the "Modpro IP TV + VPN" app and distributed outside Google Play. The report linked the activity to a Turkish-speaking threat group and said more than 3,000 devices had been compromised since March 2025.
CYFIRMA reports SpyNote-based Android targeting in South Asia
CYFIRMA published analysis of a malicious Android sample used in targeted attacks against high-value individuals in South Asia. The malware was delivered via WhatsApp under multiple app names, used shared command-and-control infrastructure, and was assessed as likely operated by an unidentified threat actor.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
How CraxsRat Operates: A Deep Dive into Its Mechanisms - FairSport International
fairsport.net
Open sourceUnidentified Threat Actor Utilizes Android Malware to Target High-Value Assets in South Asia - CYFIRMA
cyfirma.com
Open sourceEagleSpy v5: Android RAT with Banking Injection and Ransomware | Lewis Combs posted on the topic | LinkedIn
linkedin.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CraxsRAT Powers Fake Android Apps and Mobile Banking Fraud
Group-IB reported that **CraxsRAT** is being used as a central malware platform in fake Android app campaigns tied to banking fraud. The malware is distributed through trojanized applications that impersonate legitimate services, allowing attackers to infect devices and gain extensive remote access. Once installed, CraxsRAT can support surveillance, credential theft, and device manipulation, giving operators the ability to harvest sensitive information from victims’ phones. The activity highlights how mobile malware operators are combining social engineering with remote-access tooling to target financial accounts at scale. By embedding CraxsRAT in fraudulent apps, threat actors can bypass user trust, monitor victim activity, and facilitate unauthorized banking transactions, making the malware a key enabler of broader fake-app scam operations against Android users.
May 25, 2026
Commercial Android RATs Abuse Accessibility Services for Full Device Takeover
Two newly reported Android **Remote Access Trojans (RATs)**—**SURXRAT** and **Oblivion**—highlight a continued shift toward *commercialized, subscription-based mobile malware* that enables non-expert criminals to gain full control of victim devices and exfiltrate data. Both threats are positioned as scalable offerings (i.e., **Malware-as-a-Service**) with structured sales models and distribution support, lowering the barrier to entry for surveillance, credential theft, and account takeover. The reported infection chains rely heavily on **social engineering** to trick users into installing or activating malicious components, then escalating control by abusing **Android Accessibility Services** to bypass normal interaction and security boundaries. SURXRAT is described as modular and stealth-focused, distributed primarily via **Telegram** channels with tiered licensing/reseller options, and capable of broad data access (e.g., SMS, contacts, location, storage) once high-risk permissions are granted. Oblivion is marketed at roughly **$300/month** (with longer-term pricing tiers) and is delivered via **fake Google Play update** prompts; researchers reported capabilities including SMS theft for banking codes, keylogging, remote unlocking after reboot, and covert live screen viewing while a decoy “system updating” animation distracts the victim, with infrastructure reportedly able to manage **1,000+** concurrent victims (including via Tor).
Mar 21, 2026
Multiple Remote Access Trojan Campaigns Target Windows and Android via Phishing, App Stores, and Social Platforms
Threat researchers reported several unrelated **RAT-focused malware campaigns** using different delivery channels and evasion techniques. **DEAD#VAX** was described as a Windows phishing operation that delivers **AsyncRAT** via purchase-order lures, abusing **IPFS-hosted VHD** files disguised as PDFs; the mounted VHD drops a multi-stage chain using **WSF**, heavily obfuscated batch scripts, and PowerShell loaders to decrypt and execute x64 shellcode **in memory** by injecting into trusted Windows processes, minimizing on-disk artifacts. Separately, analysis of **Pulsar RAT** activity described persistence via the per-user Run key (`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`), an obfuscated batch dropper in *AppData*, PowerShell-based staging, and **Donut-generated shellcode** injection into processes such as `explorer.exe`, with anti-analysis features and data theft (credentials, wallets, tokens) exfiltrated via **Discord webhooks**. On Android, two distinct campaigns were highlighted. **Anatsa** banking malware was found distributed through **Google Play** in a trojanized “document reader” app that exceeded **50,000 downloads** before detection; the initial app acts as a loader that retrieves the full banking trojan and supports credential theft and C2-driven actions, with reporting attributing discovery and tracking to **Zscaler ThreatLabz**. **Arsink RAT** was reported spreading primarily via **Telegram/Discord** and file-sharing sites (e.g., MediaFire) through fake “mod/pro” apps impersonating major brands; research attributed to **Zimperium** cited **~45,000** victim IPs across **143 countries**, **1,216** malicious APKs, and **317** Firebase Realtime Database C2 endpoints, with capabilities including SMS/OTP theft, call log and contact harvesting, location tracking, and microphone audio capture.
Mar 21, 2026