⚠ Legal Disclaimer

Disclaimer

craxsratinfo.comApplies to All Site Content

Read Before Proceeding

By accessing any content on CraxsRatInfo — including articles, threat reports, detection tools, campaign maps, and research data — you acknowledge that this site exists solely for cybersecurity education and defensive research. The technical information published here describes real malware threats that exist in the wild. This disclaimer explains the precise scope, limitations, and legal boundaries of that content. Reading it in full is strongly recommended before relying on any information found on this site.

01 —

Nature & Purpose of This Site

CraxsRatInfo (craxsratinfo.com) is an independent, non-commercial cybersecurity research and education platform. It was established for a single purpose: to document, analyse, and publicly communicate the threat posed by CraxsRat — a sophisticated Android Remote Access Trojan (RAT) — and related mobile malware, so that individuals, organisations, and security professionals can better detect, defend against, and remove it.

Every article, threat intelligence report, campaign analysis, infection detection guide, technical breakdown, and interactive tool published on this site has been produced with a strictly defensive orientation. We research how CraxsRat works so that you can identify and stop it — not to enable, promote, or assist anyone in deploying it.

CraxsRatInfo is not a commercial antivirus vendor, a licensed cybersecurity firm, a law enforcement body, or a government agency. We are an independent research collective publishing open-access threat intelligence. Our work sits in the same tradition as publicly available threat intelligence blogs and research platforms operated by individual security researchers and academic institutions worldwide.

Our Founding Commitment

Every technical detail we publish — including malware capabilities, permission abuse chains, C2 communication patterns, and evasion techniques — is published in the public interest. The same information that helps a threat actor understand their own tool also helps a defender detect and neutralise it. We judge that the defensive value of this research substantially outweighs any risk, particularly given that this information is already documented in public reports by Group-IB, Cyfirma, Kaspersky, ESET, SOCRadar, Lookout, and Recorded Future.

02 —

Not Professional Security Advice

Nothing published on CraxsRatInfo constitutes professional cybersecurity advice, legal advice, financial advice, or any other form of regulated professional guidance. All content — including detection guides, removal instructions, threat assessments, and security recommendations — is provided for general informational and educational purposes only.

The threat landscape changes continuously. Malware evolves. Device configurations vary. Network environments differ. A recommendation that is technically correct for one device, operating system version, or threat variant may be incomplete, inapplicable, or counterproductive in another context. Security guidance published here represents our best understanding of documented behaviour at the time of writing — it is not a guaranteed solution for every situation.

For Active Security Incidents

If you believe your device, network, or organisation is currently compromised by CraxsRat or any other malware, our research content is a useful starting point for understanding what you may be facing — but it is not a substitute for professional incident response. We strongly recommend engaging a qualified cybersecurity professional, your organisation's security team, or your device manufacturer's support channel for active incident handling.

Specific Limitations of Our Guidance

Removal instructions are based on documented malware behaviour and may not account for variant-specific changes, custom configurations, or device-manufacturer modifications to Android that alter the steps involved
Detection indicators (Accessibility Service names, permission patterns, battery heuristics) are based on known samples and may not match newer, obfuscated, or custom-built variants
Antivirus recommendations reflect detection rates documented in threat intelligence reports at a specific point in time — detection rates change as vendors update signatures
Security hardening advice is general best practice and may require adaptation for enterprise environments, managed devices, or specific Android versions

CraxsRatInfo accepts no liability for security outcomes — successful or otherwise — resulting from reliance on content published on this site. See Section 8 for specific limitations on detection and removal guidance.

03 —

Cybersecurity Research Scope

Cybersecurity research inherently involves studying and describing malicious systems in order to defeat them. This is the established, widely-accepted model by which the global security community protects users: understanding an attack is a prerequisite for building defences against it. CraxsRatInfo operates fully within this tradition.

Our research scope is precisely bounded. The table below defines what falls within and outside our research mandate:

✓ Within Research Scope

Technical analysis of malware capabilities drawn from public reports
Campaign documentation using published threat intelligence
Infection detection indicators and behavioural signatures
Removal and remediation procedures for affected devices
Permission abuse analysis and Android security model explanations
C2 infrastructure patterns for network-level detection
Timeline and evolution documentation of CraxsRat variants
Comparison of detection rates across antivirus platforms
Android security hardening recommendations
Responsible disclosure of new findings to relevant parties

✗ Outside Research Scope

Distribution or hosting of any malware, APK files, or builder tools
Operational C2 addresses published in a manner enabling their use
Step-by-step infection instructions or attack tutorials
Source code, decompiled payloads, or functional attack components
Targeting intelligence or victim identification
Any content that assists a threat actor rather than a defender
Surveillance tools, stalkerware, or dual-use spyware promotion
Assistance with bypassing security controls on devices you do not own

When our research touches on technical details that could theoretically be misused — such as specific evasion techniques or permission abuse chains — we include only the level of detail necessary for detection and defence. We deliberately omit implementation specifics, functional code, and operational parameters that would have no legitimate defensive use.

04 —

No Affiliation With Threat Actors

CraxsRatInfo has no affiliation, relationship, communication, or connectionof any kind with the developer of CraxsRat — identified in public research by Cyfirma as a Syrian-based threat actor operating under the handle “EVLF” — or with any other individual, group, or organisation involved in the development, distribution, sale, or deployment of CraxsRat or any related malware.

We have never purchased, licenced, or otherwise obtained CraxsRat from its developer or any reseller. We have never communicated with EVLF or any affiliated party. Our technical knowledge of CraxsRat's capabilities and architecture is derived exclusively from published threat intelligence reports by named, reputable cybersecurity organisations — the same reports that are publicly available to any researcher, journalist, or security professional.

Important Clarification on the Site Name

The name “CraxsRatInfo” (formerly CraxsRatInfo) was chosen to reflect our subject matter while aligning with our parent brand. It was chosen to be easily found by people seeking information about CraxsRat infections — people who may be victims, security researchers, or IT professionals dealing with this specific threat. The name reflects our subject matter, not affiliation with it. This is the same reason Malwarebytes, Kaspersky, and ESET name their research articles after the specific malware they document.

We do not endorse, glorify, or trivialise the harm caused by CraxsRat. The campaigns documented on this site — banking fraud, credential theft, device surveillance — have caused measurable financial and personal harm to real victims across Singapore, Malaysia, South Asia, the Middle East, and beyond. Our documentation of these campaigns is intended to expose and reduce that harm, not to celebrate or amplify it.

Any individual or entity claiming affiliation between CraxsRatInfo and malicious actors is making a false representation. We reserve the right to pursue legal remedies against defamatory mischaracterisations of this platform's purpose and affiliations.

05 —

Accuracy & Currency of Information

We make every reasonable effort to ensure that the information published on CraxsRatInfo is accurate, well-sourced, and up to date at the time of publication. All factual claims about CraxsRat capabilities, campaign statistics, and threat actor activity are attributed to named, primary source threat intelligence reports. We do not fabricate, embellish, or speculate beyond what the cited evidence supports.

However, cybersecurity threat intelligence is a rapidly evolving field. The following limitations apply to all content on this site:

Content Type	Accuracy Limitation	Recommended Action
Malware capabilities	Based on analysed samples at a specific version — new variants may behave differently	Cross-reference with the most recent vendor reports before drawing operational conclusions
Campaign statistics	Reflect documented data at time of original report publication — actual figures may be higher	Treat as minimums, not ceilings — underreporting is common in mobile threat campaigns
Detection rates	Antivirus detection efficacy changes daily as signatures are updated	Verify current detection rates directly with the antivirus vendor or via VirusTotal
Removal instructions	Tested against known samples — custom builds or heavily modified variants may differ	If standard removal fails, factory reset is the safest fallback
IOC / indicator lists	Package names, hashes, and C2 patterns rotate frequently	Treat as historical reference — supplement with live threat intel feeds
Third-party attribution	Attribution is inherently probabilistic and subject to revision	Refer to the original citing organisation for their confidence level and methodology

We display publication dates and “Last Verified” markers throughout the site. If you discover a factual error, outdated figure, or misattribution in any article, we encourage you to report it via craxsratinfo.com/report/problem/. Verified corrections are applied promptly with a correction notice appended to the article.

06 —

IOC & Technical Indicator Disclaimer

Indicators of Compromise (IOCs) — including but not limited to APK package names, file hashes (MD5, SHA-256), Android permission sets, network signatures, C2 communication patterns, and Accessibility Service identifiers — are published on CraxsRatInfo exclusively for defensive and detection purposes.

Intended Use of IOCs

Feeding into enterprise SIEM, EDR, or mobile threat defence (MTD) platforms as detection rules
Informing antivirus signature updates submitted to vendors
Configuring network firewalls and DNS filters to block known C2 communication patterns
Manual device auditing to check for presence of known malicious package names
Academic and forensic research into Android malware behaviour
Threat hunting exercises within authorised security team environments

IOC Limitations

IOCs published on this site have a finite operational lifespan. CraxsRat's builder tool generates new APKs with unique package names and modified permission sets on demand, meaning specific hashes and package names are frequently rotated by threat actors. An IOC that accurately identifies a CraxsRat sample on the date it was documented may not identify a newer variant built the following week.

Do Not Rely Solely on IOC Lists

IOC matching is a lagging indicator of compromise — it identifies known, previously observed samples. Behavioural detection (monitoring for Accessibility Service abuse, unexpected Device Administrator registration, anomalous SMS broadcast registration) provides more durable protection against novel variants. Use IOC lists as one layer within a layered defensive strategy, not as a standalone control.

CraxsRatInfo accepts no liability for security breaches, missed detections, or false positives arising from implementation of IOCs published on this site. Security teams should validate all indicators against their specific environment before deploying them in production detection systems.

07 —

OSINT & Intelligence Sourcing

A significant portion of the threat intelligence published on CraxsRatInfo is derived from Open Source Intelligence (OSINT) — publicly available information sourced from published threat reports, academic papers, court documents, and the research output of major cybersecurity organisations. All OSINT-derived content is attributed to its primary source.

Our primary intelligence sources include, but are not limited to:

Organisation	Contribution to Our Research	Relationship
Group-IB	Singapore and Malaysia banking campaign analysis; sample volumes; C2 infrastructure mapping	No affiliation — public reports cited
Cyfirma Research	Developer identification; G700 variant technical analysis; cryptocurrency targeting	No affiliation — public reports cited
Kaspersky Lab	South Asian and Sub-Saharan Africa infection data; mobile threat statistics	No affiliation — public reports cited
ESET Research	North Africa underground marketplace documentation; distribution network analysis	No affiliation — public reports cited
SOCRadar	Dark Strom group; CraxsRat v6.7 Telegram distribution channel analysis	No affiliation — public reports cited
Lookout	Middle East social engineering campaign data; UAE and Saudi Arabia targeting	No affiliation — public reports cited
Recorded Future	Latin America banking trojan bundle campaigns; Brazilian financial sector targeting	No affiliation — public reports cited

CraxsRatInfo does not claim ownership of data, statistics, or findings originating from these organisations. All such material is cited and attributed in accordance with fair use principles for commentary, education, and research. If any of these organisations identifies a mischaracterisation or misuse of their research in our content, we welcome direct contact and will correct or remove the relevant material immediately.

Our own original contributions — synthesis, analysis, detection guides, interactive tools, the threat intelligence map, and the infection checker — are the intellectual property of CraxsRatInfo. The two should not be conflated: cited third-party data is not our claim; our analysis built on top of that data is.

08 —

Detection & Removal Limitations

CraxsRatInfo provides detailed detection guidance — including our 7-question client-side infection checker, Accessibility Service audit instructions, Device Administrator review steps, and network anomaly indicators — and removal procedures for affected Android devices.

These tools and guides are provided in good faith based on documented malware behaviour. However, the following specific limitations apply and must be understood before acting on this guidance:

The infection checker is indicative, not diagnostic. It identifies behavioural patterns associated with CraxsRat infection based on your answers. It cannot directly inspect your device, running processes, installed packages, or network traffic. A negative result does not certify your device is clean — it means your reported behaviour does not match known infection patterns.
No data is transmitted. The infection checker runs entirely within your browser. No answers, results, or device information are sent to our servers. This also means we have no capacity to follow up, review your specific case, or provide personalised remediation advice based on your checker results.
Removal steps may be incomplete for modified variants. CraxsRat's builder tool allows threat actors to customise package names, icons, and permission labels. A variant may use a Device Administrator entry with a name different from what our guide references. Always check every Device Administrator entry, not just those matching specific names we describe.
Factory reset is not always sufficient. In rare, advanced infection scenarios involving persistent storage abuse or firmware-level compromise, a factory reset may not fully remove a RAT. Such scenarios are uncommon with CraxsRat but not impossible with highly customised builds.
Post-removal credential rotation is essential. CraxsRat's keylogging capability means that all credentials entered on a compromised device should be considered exposed. Following removal, change all passwords — banking, email, social media — from a clean, uncompromised device.

If Removal Fails

If you have followed our removal guide and the malware persists — evidenced by continued Accessibility Service re-enablement, Device Administrator re-registration, or continued unusual data usage — do not continue attempting manual removal. Back up essential data where possible, perform a full factory reset, and flash a clean Android firmware image if your device supports it. For severe cases, consult a professional mobile device forensics service.

09 —

External Links & Third-Party Content

CraxsRatInfo contains hyperlinks to external websites, including published threat intelligence reports, vendor research blogs, news articles, cybersecurity documentation, and official platform resources. These links are provided as supporting references and for the convenience of our readers.

We do not control, operate, or take responsibility for any external website. The following specific disclaimers apply to external links on this site:

We cannot guarantee the continued availability, accuracy, or security of any externally linked resource. Links may become broken, content may be updated or removed, and previously reputable sources may change ownership or editorial standards after we publish
Linking to a source does not constitute an endorsement of that organisation's full body of work, commercial products, services, political positions, or any content beyond the specific document or page referenced
Some research references Telegram channels as documented distribution vectors for CraxsRat. Mentioning these channels is for informational and documentary purposes. We do not link to active CraxsRat distribution channels, and we do not endorse, moderate, or take responsibility for any content within third-party Telegram groups
External security tool recommendations (antivirus platforms, mobile security apps) reflect documented detection efficacy at the time of writing and do not constitute paid endorsements, affiliate relationships, or commercial partnerships of any kind
When you follow an external link from CraxsRatInfo, the privacy policy and terms of service of the destination site apply. We have no visibility into, or control over, how those sites handle your data

If you encounter a broken link, a linked resource that has materially changed its content, or a link you believe is inappropriate, please notify us via craxsratinfo.com/report/problem/.

10 —

No Malware Distribution

CraxsRatInfo operates under an absolute, unconditional, and permanent policy of zero malware distribution. This policy admits no exceptions under any framing, including research, educational demonstration, academic archiving, or journalistic purposes.

Absolute Zero-Distribution Policy

We do not and will never: host, store, or distribute CraxsRat APK files or any variant thereof; provide download links — direct or indirect — to any functional malicious Android application; share CraxsRat builder software, configuration files, or licence credentials; distribute cracked versions, leaked builds, or archived samples of CraxsRat or G700; publish working C2 server addresses, panel URLs, or authentication credentials; or provide any resource that would give a threat actor meaningful operational capability they do not already possess.

All technical details we publish — capability descriptions, permission abuse chains, evasion techniques, network signatures — are derived from public threat intelligence reports and presented at a level of abstraction that serves defenders without serving attackers. The threshold we apply: if a detail would help a security analyst detect or remove malware but would not meaningfully assist a threat actor beyond what they already know from operating the tool, we may publish it. If a detail would primarily assist an attacker, we do not.

Any user who attempts to obtain malware, operational tools, or attack assistance through this platform — whether via the submission forms, contact channels, comment sections, or any other vector — will be permanently banned, and their interaction logged and reported to relevant law enforcement and abuse reporting channels.

If you believe any content currently visible on this site violates this policy — including content that may have been injected via a security vulnerability we are not yet aware of — please report it immediately at craxsratinfo.com/report/security/. We will investigate and act within 24 hours of receiving any such report.

11 —

Jurisdiction & Legal Compliance

CraxsRatInfo is committed to operating in full compliance with applicable law across all jurisdictions from which this site is accessed. Cybersecurity research and education is a legally protected and socially valued activity in most democratic legal systems, provided it is conducted within the bounds described in this disclaimer and our Terms of Service.

Applicable Legal Frameworks

European Union: Our research and disclosure practices are aligned with the EU's Network and Information Security (NIS2) Directive and the GDPR. We support the EU's Coordinated Vulnerability Disclosure framework and apply its principles to any new findings we generate
United Kingdom: Our research activities are consistent with defences available under the Computer Misuse Act 1990 for legitimate security research. We do not conduct unauthorised access to any computer system under any circumstances
United States: Our research is consistent with the safe harbour provisions for security research recognised under the Digital Millennium Copyright Act (DMCA) and the principles articulated in DOJ guidance on the Computer Fraud and Abuse Act (CFAA) for good-faith security researchers
India, Malaysia, Singapore, UAE: Given the documented prevalence of CraxsRat campaigns in these regions, our content is specifically designed to be useful to users and security professionals in these jurisdictions. Our research does not violate the IT Act (India), Computer Crimes Act (Malaysia), Computer Misuse Act (Singapore), or Cybercrime Law (UAE), as we conduct no unauthorised access and distribute no attack tools

User Responsibility

Users access this site from their own jurisdiction and are responsible for ensuring their use of this site's content complies with local law. Information about malware that is legal to read and share in one jurisdiction may be subject to restrictions in another. CraxsRatInfo makes no representation that accessing this site is appropriate or lawful in all jurisdictions. If you are uncertain whether accessing cybersecurity research content is permitted in your jurisdiction, consult a local legal professional before proceeding.

CraxsRatInfo cooperates fully with legitimate law enforcement requests made through proper legal channels. We maintain activity logs for security and legal compliance purposes in accordance with our Privacy Policy.

12 —

Contact & Corrections

We take the accuracy and integrity of our research seriously. If any content on this site contains a factual error, outdated information, attribution mistake, or material that you believe violates the principles set out in this disclaimer, we want to know immediately.

We also welcome contact from cybersecurity researchers, journalists, law enforcement, and representatives of the organisations whose research we cite — whether to correct the record, explore collaboration, or flag concerns.

CraxsRatInfo — Research & Legal Contact

General & legal: legal@craxsratinfo.com

Privacy enquiries: privacy@craxsratinfo.com

Content corrections: craxsratinfo.com/report/problem/

Security vulnerability reports: craxsratinfo.com/report/security/

App / threat submissions: craxsratinfo.com/report/app/

// Content corrections: actioned within 48 hours
// Legal enquiries: responded to within 5 business days
// Security reports: triaged within 24 hours