A detailed investigation by cybersecurity firm CYFIRMA successfully pierced this anonymity. Threat intelligence researchers traced EVLF DEV's infrastructure, forum footprints, and a poorly secured video tutorial where the developer accidentally exposed personal email addresses. Key discoveries regarding the operator include:
The unmasking prompted an immediate reaction. On August 23, 2023, EVLF posted a farewell message on their Telegram channel, likely in response to the public disclosure. "unfortunately this is the end, due to life circumstances i will stop developing and posting," the message read. "for my customers don't worry, i will not let you and go, i will release couple of patch's for you before i go."
is a highly invasive Android Remote Access Trojan (RAT) developed and commercialized by the Syrian threat actor known as EVLF DEV . Operating under a Malware-as-a-Service (MaaS) model, Cypher Rat—alongside its sister variant CraxsRAT—fundamentally shifted the mobile threat landscape by offering low-cost, real-time espionage infrastructure to dozens of concurrent cybercriminals. Cypher Rat Evlf
Before understanding the technical intricacies of CypherRAT, it is essential to look at its creator. Cybersecurity researchers from Cyfirma unmasked the real-world identity and operations of EVLF.
The malware's builder allows for high customization, letting attackers choose the app's icon, name, and permissions to create highly convincing and obfuscated versions that can bypass initial detection. On August 23, 2023, EVLF posted a farewell
Includes "Super Mod" features that crash the uninstallation page if a user attempts to remove the app. Attribution and Discovery EVLF DEV-The Creator of CypherRAT and CraxsRAT - cyfirma
The malware provides extensive features that allow attackers to bypass security and maintain persistence: Surveillance: Remote access to the device's microphone (audio recording), and GPS location Data Theft: SMS messages , and files from local storage. Financial Hijacking: A specialized clipboard hijacker Following the discovery
The anonymity of EVLF DEV collapsed following an extensive intelligence operation by the cybersecurity research firm CYFIRMA. While broadcasting video tutorials for their software, the developer inadvertently switched tabs, exposing a personal email inbox. This operational security failure revealed payment preferences, linked IP addresses, and information associated with the name . Following the discovery, researchers successfully tracked and froze the developer's primary cryptocurrency wallets. Stealth Mechanics: Bypassing Security Defenses
Once a device is infected, CypherRAT grants the attacker near-total control. Key features include:
