Craxs RAT has been extensively deployed in banking fraud operations. In Malaysia, fraudsters used the malware to . Once the RAT gains access, attackers can:
What sets Craxs RAT apart from simpler malware like SpyNote or AhMyth is its sheer volume of invasive capabilities. Once installed, the RAT grants the attacker near-total control of the victim's device.
A sophisticated evolution known as G700 has been identified, marketing itself as the "next generation" of Craxs RAT with enhanced evasion tactics. Common Attack Scenarios
: Attackers can view the victim’s screen in real time and execute touch gestures, allowing them to open apps and authorize transactions manually.
The attacker can view the victim’s screen in real-time (screen streaming), control the device using their own mouse and keyboard, and even bypass Android’s built-in screen recording detection. craxs rat
Downloading APK files from unofficial third-party websites or "modded" versions of popular games is the most common way Craxs Rat spreads.
: Recent updates feature capabilities to "undisplay" or suppress prompt screens related to fingerprint or face unlock verification.
The malware can inject fake login screens (overlays) on top of legitimate apps like Gmail, WhatsApp, banking apps, or even crypto exchanges. When the victim enters their credentials, they are sent directly to the attacker.
First documented in November 2024, G700 RAT represents the next generation of the Craxs RAT family. Developed in C# and Java, it exploits mobile app security gaps, intercepts SMS messages, abuses Android permissions, and hijacks cryptocurrency transactions. The variant uses Base64 encoding and APK encryption to evade detection. Craxs RAT has been extensively deployed in banking
Be highly skeptical of apps requesting excessive permissions, particularly Accessibility Services , which the RAT uses to gain control. Use Mobile Security:
Craxs RAT incorporates mechanisms to and other native Android security measures. It abuses Android's Accessibility Services to gain access to screen content, read keystrokes, and simulate user interactions—effectively turning the device into a puppet controlled by remote attackers.
Heavily used in financial scams across Southeast Asia (particularly Singapore and Malaysia ).
What sets Craxs apart is its technical sophistication. Standard RATs often require the victim to download a separate "Client" app while the attacker runs a "Server" panel. Craxs RAT simplifies this into a streamlined package where the attacker controls thousands of devices from a web-based Control Panel. It is sold exclusively through private Telegram channels and dark web forums, with license fees ranging from $500 (for a one-month license) to over $5,000 for a lifetime enterprise license. Once installed, the RAT grants the attacker near-total
The developer EVLF utilized this framework to create a highly optimized, stable, and stealthy product known as Craxs RAT.
If a simple calculator app asks for access to your SMS, microphone, and location, deny it and uninstall the app.
: Attackers distribute malicious links via text messages, Telegram, or email, claiming the user needs to urgently update an app or track a missing package.