In a significant breakthrough, cybersecurity firm Cyfirma has unveiled the true identity of the developer responsible for crafting the notorious CypherRAT and CraxsRAT remote access trojans (RATs). Operating under the alias ‘EVLF DEV’ for the past eight years in Syria, this individual has not only amassed over $75,000 from selling these malicious RATs to various threat actors but also operated as a malware-as-a-service (MaaS) provider.
Notably, EVLF has been distributing CraxsRAT, a highly dangerous Android RAT, through a surface web store for the last three years, with more than 100 licenses sold. Cyfirma’s investigation has unearthed intriguing insights into the RATs’ construction and distribution, revealing a sophisticated scheme that includes obfuscation techniques, permissions manipulation, and even a ‘super mod’ feature to evade removal.
Furthermore, Cyfirma’s pursuit of EVLF’s trail led to the discovery of a Telegram channel boasting over 10,000 subscribers, shedding light on the scope of their operation. A crypto wallet associated with the RAT developer uncovered a financial trail spanning three years, prompting Cyfirma to approach the cryptocurrency wallet company for asset freezing pending identity verification.
Despite this, EVLF’s activity continued, leading to the exposure of more information on their real name, usernames, IP address, and email address through a crypto discussion forum. As a result, Cyfirma’s meticulous investigation concludes with high confidence that the mastermind behind these malware operations hails from Syria, offering a glimpse into the world of cybercrime and RAT propagation.
