{
	"id": "d32adfe5-e219-4527-8806-f7cf62846e38",
	"created_at": "2026-05-05T02:46:13.212934Z",
	"updated_at": "2026-05-05T02:46:37.134853Z",
	"deleted_at": null,
	"sha1_hash": "67d69b965f8e10a3168b61af29413fa36d2fd9ea",
	"title": "Craxs Rat, the master tool behind fake app scams and banking fraud | Group-IB Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7074951,
	"plain_text": "Craxs Rat, the master tool behind fake app scams and banking\r\nfraud | Group-IB Blog\r\nArchived: 2026-05-05 02:29:24 UTC\r\nIntroduction\r\nSince April 2023, a series of scams involving fake Android apps have targeted Singapore. These fake apps are\r\nbanking trojans used to harvest victims’ banking credentials and personal information, as well as to take control of\r\ntheir devices. In this specific case, threat actors have been observed using phishing websites as part of their\r\ncampaign to deliver fake apps posing as known brands. Abusing popular brands and imitating Android trojans as\r\nlegitimate-looking apps has been a notable trend in cybercriminal activity in recent years.\r\nThe Android fake apps were introduced as part of the scam scheme to lure victims with fraudulent advertisements\r\nof services or goods. The threat actors would then request the user to download fake Android apps in the pretense\r\nof making a payment or making an order.\r\nGroup-IB’s High-Tech Crime Investigation team has been closely analyzing the early campaigns. The fake\r\nAndroids apps were initially detected as Spymax by most antivirus products. However, after further analysis into\r\nthe code, the apps were in fact a Remote Access Trojan (RAT) built using Craxs Rat.\r\nSpymax is a mobile RAT built by threat actor “✶ s c я є α м” in 2019. The source code of Spymax was leaked in\r\n2020 and was used by other actors to customise the software. The actor “EVLF” created his version of malware\r\nnamed Craxs Rat using the leaked code. As of April 2023, EVLF advertised new versions of Craxs Rat on his\r\nTelegram channel.\r\nDuring the research into the Singapore phishing campaign involving Craxs Rat, Group-IB’s High-Tech Crime\r\nInvestigation team revealed that there were at least 10 different brands abused by threat actors, ranging from\r\nmultiple online shopping platforms, an anti-scam center, pet grooming salons, dumpling shops and many\r\nothers. All these phishing campaigns required victims to download and install the fake Android app (which was\r\nbuilt using Craxs Rat) onto their Android mobile device.\r\nWhat is Craxs RAT malware?\r\nCraxs Rat is a potent Remote Access Trojan (RAT) created by EVLF, a threat actor that enables cybercriminals to\r\nremotely control an infected device without the victim’s knowledge. Unlike many conventional malware tools, the\r\nCraxs Rat malware is specifically designed to hijack Android devices, allowing attackers to extract sensitive data,\r\nmonitor user activities, and even manipulate the device’s settings remotely.\r\nOriginally emerging as a derivative of Spymax RATs, Craxs Rat has become notorious for its adaptability and\r\nstrong control mechanisms. With its latest iteration, Craxs Rat v7, the malware now features amplified capabilities\r\nthat make it even more difficult to detect and mitigate.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 1 of 30\n\nHow Does Craxs RAT Work?\r\nAt its core, Craxs Rat operates by exploiting vulnerabilities in the Android mobile operating system.\r\nCybercriminals typically deploy the malware via phishing campaigns, where victims are tricked into downloading\r\nfake applications from third-party websites or through deceptive emails. Once installed, the malware silently\r\nconnects to a Command and Control (C\u0026C) server, allowing attackers to:\r\nGain remote access: Control the device in real-time.\r\nHarvest sensitive data: Steal banking credentials, personal information, and contact details.\r\nManipulate device functions: Change system settings, take screenshots, and even record audio.\r\nPersist on the device: Implement stealthy persistence mechanisms to survive reboots and updates.\r\nThe sophistication of Craxs Rat malware is evident in its ability to encode network parameters and utilize\r\nencrypted communications, making it a formidable threat that continuously adapts to bypass traditional security\r\nmeasures.\r\nFeatures of Craxs RAT\r\nThe robustness of Craxs Rat lies in its wide range of capabilities. Key features include:\r\nComplete remote control: Once the malware is installed, attackers can manipulate nearly every function\r\non the victim’s device.\r\nExtensive permission requests: Fake apps built using Craxs Rat often require access to SMS, call logs,\r\ncontacts, cameras, microphones, geo-location, and more. These permissions are critical for executing\r\nfraudulent activities.\r\nCommand and control connectivity: The malware encodes its C\u0026C server details (often using base64\r\nencoding) to evade detection and ensure a secure channel for remote commands.\r\nCustomizable payloads: Using a free or paid version of the Craxs Rat builder, cybercriminals can tailor\r\nthe malware’s functionality. This flexibility has led to the emergence of multiple variants, including the\r\nhighly publicized Craxs Rat v7.\r\nMulti-language support: The malware interface often supports multiple languages—such as English,\r\nArabic, Turkish, and Simplified Chinese—to target victims across different regions.\r\nKey discoveries in the blog\r\nGroup-IB Investigation team analyzed the fake scam campaign targeting Singapore including the threat\r\nactor’s infrastructure, and the fake apps used in the scam scheme.\r\nThe scam campaign targeting Singapore used a fake app built by Craxs Rat and started no later than\r\nApril 2023.\r\nPhishing websites used in the Singapore Craxs Rat campaign were probably controlled by Chinese\r\nspeaking threat actors.\r\nCraxs Rat has been developed by the threat actor EVLF and sold on his Telegram Channel. We did the\r\nthreat profiling of threat actor EVLF, and revealed in-depth information about the Craxs Rat tool.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 2 of 30\n\nEVLF’s Telegram channel was bought over on 5 September 2023. We assume that the actors behind the\r\nSingapore attacks could be related to it.\r\nThere is a new channel created by EVLF where he released the latest version of Craxs Rat 7.5 on 17 April\r\n2024.\r\nOur team constantly tracked and noted the latest updates on Craxs Rat, which have been detailed in the\r\nblog.\r\nWho may find this article interesting:\r\nCybersecurity analysts and corporate security teams\r\nMalware analysts\r\nThreat Intelligence specialists\r\nCyber investigators\r\nComputer Emergency Response Teams\r\nLaw enforcement investigators\r\nCyber Police Forces\r\nFigure 1. Craxs Rat profile made by Group-IB Threat Intelligence\r\nWhat malware was used in the phishing campaign targeting Singapore?\r\nThe Singapore campaign with Android trojans garnered increasing attention in May 2023.\r\nThe fake applications were detected by antivirus engines as “SpyMax.” Group-IB specialists found that the code\r\nof these apps was different from the known “SpyMax” samples. So, we dived deeper into the evolution of the\r\n“SpyMax” malware and discovered the latest popular version of it, named “Craxs Rat.” We further analyzed one\r\nof the fake apps from the scam campaign and compared its features with an app built by Craxs Rat free builder\r\n(hereinafter – replicated fake app).\r\nHere are some of the comparisons of the results:\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 3 of 30\n\nFigure 2. Comparing components of fake app and replicated app built using Craxs Rat builder.\r\nAs can be seen from the table above, the number of exported functions and components match.\r\nUsing the free version of Craxs App builder, we can see the minimum list of permissions required:\r\nSend SMS\r\nRecord Calls\r\nChange Wallpaper\r\nRead SMS\r\nRead call logs, contacts and accounts\r\nAccess to camera, microphone\r\nAccess to geo-location\r\nPermission to make calls.\r\nMore extensive list of permissions is expected for the paid version buyers.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 4 of 30\n\nFigure 3. List of permissions for selection in Crax App builder\r\nThe permission list from the analyzed fake app includes the ones listed above.\r\nThe comparison of the AndroidManifest.xml is presented below. As we see there are complete similarities\r\nbetween the permissions of both fake app and a replicated app for access to SMS, camera, contact list, recording\r\naudio, call log, access to files, etc.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 5 of 30\n\nFigure 4. Comparing AndroidManifest.xml of fake app and a replicated app built using Craxs Rat builder.\r\nBelow showcases the similarities in the AlertDialog Message with languages in English, Arabic, Turkish and\r\nSimplified Chinese for both the  fake app and replicated app.\r\nFigure 5. Comparing source code of fake app and a replicated app built using Craxs Rat builder.\r\nTo get the Accessibility Service permissions which allows remote control functions, the following window\r\nappears on the victims’ device:\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 6 of 30\n\nFigure 6. Comparison of the template design in a fake app and a replicated app using Craxs Rat builder\r\nIn terms of network indicators, a Craxs Rat sample contains a link to a website whose content it displays to a\r\nvictim, and an encoded IP address of the Command and Control server (hereinafter – C2 server) controlled by a\r\nthreat actor.\r\nIn both fake app and replicated app, the C2 IP address is base64 encoded.\r\nThe parameter “b” in a replicated app was changed manually to a value from a fake app. The parameter “d”\r\ncontains the name of the app. The parameter “e” contains the IP address of the C2 server while the parameter “f”\r\nreflects the port number on the C2 server. We customised all these parameters in the replicated app through Craxs\r\nRat builder to showcase the similarity of C2 configuration format.\r\nWhile analyzing the network infrastructure of the C2 IP addresses obtained from malware samples used in a\r\nSingapore scam campaign, we discovered that all of the C2 IP addresses were hosting a Windows Server 2019,\r\nwhereby the language of the system was in Chinese.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 7 of 30\n\nFigure 8. RDP connection to one of the C2 IP addresses showing Windows Server login where password field is in\r\nChinese\r\nA panoramic view of the correlation between the C2 IP addresses in the Singapore scam campaign is shown\r\nthrough Group-IB’s patented Graph technology.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 8 of 30\n\nFigure 9. C2 IP addresses sharing the same settings with other IP addresses belonging to the threat actor’s network\r\ninfrastructure\r\nSo, our comparison of the samples used in the Singapore scam campaign and Craxs Rat app showed similarities.\r\nThe analysis of its C2 infrastructure brought us to the conclusion that the Chinese speaking threat actors\r\ncould be behind this campaign.\r\nPhishing infrastructure in the attacks\r\nAnalysing dozens of Craxs Rat samples used in a Singapore scam campaign, we discovered a lot of phishing\r\npages impersonating different brands including some widely-known ones. The websites impersonated were online\r\nshopping platforms, anti-scam center, pet grooming salon, dumpling shop and many others. Example of one of the\r\nphishing pages positioned as 1st Mall is presented below:\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 9 of 30\n\nFigure 10. Phishing webpage positioned as 1st Mall website\r\nThe brands include the following but are not limited to:\r\n1st Mall\r\nAnti-Scam center\r\nE2 Mall\r\nShopnow\r\nChoose\r\nSG-Furniture\r\nMall 1st\r\nGrab \u0026 Go\r\n第一商城\r\netc.\r\nExamples of the samples whose names represent the impersonated brand are presented below:\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 10 of 30\n\nFigure 11. Screenshot showing list of APK files communicating with fake app’s C2 IP addresses\r\nIn one phishing page, we discovered the following languages supported: “China Hong Kong”, “China”, “English”,\r\n“French”, “Thai” and “Laos”. It can be assumed that these are the languages of the target victims.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 11 of 30\n\nFigure 12. Languages supported by the phishing online shopping platform\r\nThe earliest web pages which we link to the Singapore Craxs Rat campaigns were discovered in April 2023,\r\nimpersonating an application used to track phone location just by it’s phone number. The phishing service used the\r\nnames Backfinder and Backtracker.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 12 of 30\n\nFigure 13. A screenshot of a website impersonating as Backfinder\r\nOur experts also discovered that the admin panel behind the phishing websites is CRMEB – which is popular\r\namong the Chinese-speaking community of developers.\r\nFigure 14. Example of CRMEB admin login page for a phishing website\r\nSo, based on the presented analysis, we concluded that phishing websites were administered via CRMEB\r\nadmin panel by the threat actors who are likely to be Chinese-speaking. The first traces of the phishing\r\ninfrastructure we discover to be registered not later than April 2023.\r\nFrom Spymax to Craxs Rat\r\nTo clarify the roots of the Craxs Rat used in the Singapore campaigns we researched the malware evolution by\r\nanalysing Dark Web forums.\r\nWe discovered that Spymax, also known as Spy max or SpyNote, was first developed by a threat actor\r\nnicknamed ✶ s c я є α м in 2019 and was advertised on a popular Syrian forum, which had been shut down\r\nalready. Since then, the activity of Spymax has been ongoing especially with the source code of Spymax being\r\npublished online in 2020. Many threat actors have taken the source code of Spymax and customised it to release\r\nnew versions or to create their own RAT.\r\nAmongst them is a threat actor named EVLF, who took the source code of Spymax and released his own updated\r\nversion. Meanwhile, he was also behind new Remote Access tools such as Cypher Rat and Craxs Rat. The\r\ntimeline below shows how the events unfolded from the creation of Spymax to the birth of Craxs Rat.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 13 of 30\n\nFigure 15. Timeline of EVLF and SpyMax / Craxs Rat development\r\nBelow you can find one of the EVLF’s post with comments about his malware built on the source code of Spymax\r\nand SpyNote.\r\nFigure 16. Screenshot from Group-IB Threat Intelligence Platform about EVLF clarifying about the source code\r\nfor Spymax. Original post was written in Arabic.\r\nAfter the forum shutdown, new advertisement posts from EVLF appeared on his Telegram channel. Since March\r\n2022, this account was the main source of updates about Craxs Rat.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 14 of 30\n\nFigure 17. Screenshot from EVLF’s Telegram channel showing the first message about Craxs Rat.\r\nGroup-IB’s team have analyzed the posts more precisely to get more personal insights about the author.\r\nOne of the posts lets us figure his geolocation, which could be Syria:\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 15 of 30\n\nThrough the videos that he posted on his Telegram channel, there was other evidence indicating that EVLF could\r\nbe from Syria. The  geographic location of Mezze, a municipality in Syria, is shown on a mobile phone in one of\r\nhis video.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 16 of 30\n\nFigure 19. Screenshot of video in EVLF’s Telegram channel showing geolocation Mezze\r\nOn 23 August 2023 the message was posted by EVLF about stopping his activity:\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 17 of 30\n\nFigure 20. Screenshot of EVLF’s message on stopping his activity\r\nOne of the deleted messages saved by our Threat Intelligence Platform:\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 18 of 30\n\nFigure 21. Screenshot from Group-IB Threat Intelligence Platform showing EVLF’s deleted message about selling\r\nthe channel and Craxs Rat source code\r\nOn 5 September 2023, a message was posted on EVLF’s Telegram channel that the channel had been bought over.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 19 of 30\n\nFigure 22. Screenshot from EVLF’s Telegram channel announcing that the channel has been bought over\r\nThe Telegram username of EVLF, which was used as a contact for buying, was changed to a new contact\r\ninformation. After the buy-over, Telegram messages on the channel have been incorporating Chinese language and\r\nhave also published video tutorials in Simplified Chinese.\r\nFigure 23. Screenshot from EVLF’s Telegram channel with messages containing Simplified Chinese characters\r\nThe advertisement of new capabilities for the Craxs Rat malware started to be duplicated in Chinese as well:\r\nNew interface and logo\r\nNew update for MIUI + ColorOS phones. Enabling background permissions is easier than ever\r\nAutomatic screen unlock: needs to be detected once\r\nMonitor selected applications\r\nSend notification to mobile phone\r\nCut off internet access for any app\r\nHelps connections last longer\r\nCommon Functions:\r\nManager: Files, SMS, Contacts, Calis, Accounts, Apps, Permission\r\nMonitor: screen controls, camera, microphone, keylogger, location, web browser, call recorder, auto-clicker, screen reader\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 20 of 30\n\nAdmin: Request admin rights, lock screen, wipe data keylogging\r\nTools: Call Number, Download Apk, Show Message, Clipboard, Open Link, Shell Command\r\nExtras: notification list, social media hunter, phone messages.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 21 of 30\n\nFigure 24. Screenshot from EVLF’s Telegram channel with messages containing Simplified Chinese characters\r\nexplaining the features.\r\nWe suppose that the new buyer is from Asia and that the group targeting Singapore could be potentially\r\nbehind the buy-over.\r\nOn 30 November 2023, the attempt to sell source code was made by a new owner of the channel:\r\nFigure 25. Screenshot from EVLF’s Telegram channel about selling of Craxs Rat source code\r\nHowever, based on the contact details in the latest posts, the owner wasn’t changed.\r\nSince then there were no updates of Craxs Rat malware in this channel, until April 2024. The latest version of\r\nCraxs Rat published on the Telegram Channel on 7 April 2024 is v7.4. However, the demonstration video stated\r\n18 January 2024 as the date of recording:\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 22 of 30\n\nFigure 26. Screenshot from EVLF’s Telegram channel about Craxs Rat v7.4\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 23 of 30\n\nFigure 27. Craxs Rat v7.4 demonstration video on 18 January 2024\r\nNote: The above message has since been deleted from the channel.\r\nSo, since 5 September 2023, the EVLF channel was controlled by a new owner, who is presumably a Chinese\r\nspeaking one.\r\nMaking a reappearance promptly: ELVF’s new Telegram Channel\r\nWhen the original EVLF’s Telegram channel was bought over on 5 September 2023, another Telegram channel\r\nwas created by EVLF on the same day.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 24 of 30\n\nFigure 28. New EVLF’s Telegram channel\r\nThe contact information written on the profile was the same Telegram username belonging to the original EVLF.\r\nTelegram ID of the channel’s admin matches with the ID of the original EVLF account. It is not clear if EVLF’s\r\npersonal Telegram account was also sold along with the channel.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 25 of 30\n\nFigure 29. New EVLF’s Telegram channel\r\nIn his messages in the new Telegram channel, the actor said that he was the real author of Craxs Rat.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 26 of 30\n\nFigure 30. Screenshot from EVLF’s new Telegram channel about him being the real author\r\nVersion 7.4 of Craxs Rat was published in this channel on 18 January 2024 which matches with a new date of\r\nrecording.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 27 of 30\n\nFigure 31. Screenshot on EVLF’s new Telegram channel about v7.4 published on 18 January 2024\r\nOn 01 March 2024, a new message advertised that v7.5 was ready and will be released soon. The message was\r\nsigned off by “EVLF”. Craxs Rat v7.5 was released on this Telegram channel on 17 April 2024. This latest version\r\nhas not been seen anywhere else at that time. Hence, it is highly likely that this Telegram channel belongs to the\r\noriginal EVLF.\r\nOn 18 May 2024, EVLF said that he decided to stop developing Craxs Rat because of scammers and cracked\r\nversions of Craxs Rat. However, he is working on a web version of Craxs Rat. Once this is completed, we foresee\r\na new wave of this malware emerging.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 28 of 30\n\nFigure 34. Screenshot of EVLF’s new Telegram channel about stopping development of Crax Rat\r\nSo, as of now, the initial channel of EVLF doesn’t provide updated information about Craxs Rat.\r\nSupposedly, it is still developed by the same actor from Syria who published information in the new channel.\r\nKeeping in mind the new security measures from banks, Craxs Rat can still be used by fraudsters for remote\r\ncontrol of an infected device. That is why other types of fraud and manipulations will continue to be used by\r\nfraudsters. Craxs Rat is being sold as a malware-as-a-service and it continues to evolve. (Not yet known)\r\nBuyers from different parts of the world will  likely cause more damage in the near future.\r\nBest practices for organizations to prevent RAT infections\r\nThese are some best practices we recommend that not only secure your devices against Craxs Rat, or any other\r\nforms of mobile malware.\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 29 of 30\n\nStick to trusted App Stores\r\nAlways download mobile applications from authorized sources like Google Play or the official Apple App Store.\r\nThese platforms implement rigorous vetting procedures that significantly reduce the risk of fake app scams. By\r\navoiding third-party sites, you steer clear of applications that could be designed to hijack your device through\r\nmalicious permissions.\r\nBe cautious with digital communications\r\nWhether it’s an unexpected email or a pop-up advertisement, maintain a healthy skepticism toward unsolicited\r\ndigital content. Cybercriminals often use phishing emails and malvertisements to trick users into clicking on\r\nmalicious links or downloading harmful attachments. Always verify the source of any message before engaging\r\nwith it—this simple habit can save you from a lot of trouble.\r\nEducate your team and customers\r\nKnowledge is your best defense. For businesses, especially those in the financial sector, educating customers\r\nabout the dangers of fake apps and phishing scams is crucial. Regular training sessions and awareness campaigns\r\ncan help everyone understand how to identify suspicious behavior. When your team and customers know what red\r\nflags to look for, you create an environment where security is a shared responsibility.\r\nMonitor and control app permissions\r\nIt’s common for fake apps to request excessive permissions, like enabling Accessibility services or granting\r\nremote access to your device. These permissions can give cybercriminals complete control over your smartphone.\r\nWork with reliable vendors\r\nGroup-IB’s Fraud Protection utilizes a combination of threat intelligence, signature analysis, behavioral analytics,\r\nand cross-channel analytics to detect threats that traditional anti-fraud systems may miss. With Group-IB’s Fraud\r\nProtection, strengthen your network security by proactively identifying and mitigating threats.\r\nWhen businesses and their customers are being incessantly targeted, simply closing each security gap as it appears\r\nis insufficient. Instead, a comprehensive approach is necessary. Identifying the patterns of RAT activity, complete\r\nscope of the attack, IOCs, and conducting malware forensics is crucial. Detailed cyber investigations into the\r\nactivity can help develop the best combative response against the specific type of attack initiated.\r\nTo learn more about Group-IB’s Cyber Investigations, our solutions or to build holistic cybersecurity defenses\r\nagainst RATs and other threats, contact our experts here.\r\nSource: https://www.group-ib.com/blog/craxs-rat-malware/\r\nhttps://www.group-ib.com/blog/craxs-rat-malware/\r\nPage 30 of 30\n\n  https://www.group-ib.com/blog/craxs-rat-malware/     \nThrough the videos that he posted on his Telegram channel, there was other evidence indicating that EVLF could\nbe from Syria. The geographic location of Mezze, a municipality in Syria, is shown on a mobile phone in one of\nhis video.       \n   Page 16 of 30   \n\n  https://www.group-ib.com/blog/craxs-rat-malware/  \nFigure 19. Screenshot of video in EVLF’s Telegram channel showing geolocation Mezze\nOn 23 August 2023 the message was posted by EVLF about stopping his activity:\n   Page 17 of 30 \n\n  https://www.group-ib.com/blog/craxs-rat-malware/ \nFigure 20. Screenshot of EVLF’s message on stopping his activity\nOne of the deleted messages saved by our Threat Intelligence Platform:\n   Page 18 of 30\n\n  https://www.group-ib.com/blog/craxs-rat-malware/    \nFigure 21. Screenshot from Group-IB Threat Intelligence Platform showing EVLF’s deleted message about selling\nthe channel and Craxs Rat source code     \nOn 5 September 2023, a message was posted on EVLF’s Telegram channel that the channel had been bought over.\n   Page 19 of 30",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/blog/craxs-rat-malware/"
	],
	"report_names": [
		"craxs-rat-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1777949173,
	"ts_updated_at": 1777949197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67d69b965f8e10a3168b61af29413fa36d2fd9ea.pdf",
		"text": "https://archive.orkl.eu/67d69b965f8e10a3168b61af29413fa36d2fd9ea.txt",
		"img": "https://archive.orkl.eu/67d69b965f8e10a3168b61af29413fa36d2fd9ea.jpg"
	}
}