SURXRAT Downloads Giant LLM Module From Hugging Face

Cyble Analysis and Intelligence Labs (CRIL) recognized a brand new variant of SURXRAT, an actively developed Android Distant Entry Trojan (RAT) being brazenly commercialized by way of a devoted Telegram-based distribution ecosystem. Not like opportunistic commodity malware, SURXRAT is positioned as a subscription-style cybercrime product, indicating an rising stage of professionalization within the Android malware-as-a-service (MaaS) panorama.

The Indonesian risk actor (TA) operates a Telegram channel by way of which the malware is marketed, frequently up to date, and distributed to resellers and companions. The channel was created in late 2024, suggesting that lively malware improvement possible started in early 2025. On the time of study, we recognized greater than 180 associated samples, indicating steady improvement exercise and demonstrating that the risk actor is actively sustaining and evolving the malware.

The structured pricing tiers, operational bulletins, and have updates display a mature commercialization mannequin much like underground SaaS platforms, suggesting the operator is focusing on aspiring cybercriminals somewhat than conducting assaults immediately.

SURXRAT is marketed beneath a structured licensing scheme branded as SURXRAT V5, indicating lively improvement and ongoing model iteration by the operator. The risk actor presents two main buy tiers inside a “Prepared Plan” mannequin designed to draw each particular person operators and bigger resellers.

The Reseller Plan, marketed at a one-time cost of 200k, supplies everlasting entry, permits consumers to generate as much as three malware builds per day, contains free server upgrades, and permits customers to create and promote SURXRAT builds whereas adhering to the operator’s predefined market pricing.

The Associate Plan, priced at 500k as a everlasting license, expands these capabilities by rising the every day construct restrict to 10 accounts, sustaining free server upgrades, and granting consumers the flexibility to determine their very own reseller networks, successfully enabling additional distribution.

Each tiers emphasize a one-time cost construction (“anti pt pt”), suggesting no recurring subscription charges. This tiered commercialization method demonstrates the operator’s deliberate try and scale malware adoption by way of affiliate-style distribution, decentralizing an infection operations whereas retaining centralized management over infrastructure and ecosystem governance.

The risk actor periodically posts operational statistics to bolster legitimacy and entice consumers. One such announcement revealed:

• Bot Standing: Energetic
• Complete Customers: 1,318 registered accounts inside the system
• Operational affirmation timestamp: January 2026

Whereas these figures can’t be independently verified, public disclosure of consumer metrics is a standard underground advertising and marketing tactic supposed to determine credibility and display adoption amongst cybercriminal clients. If correct, the numbers counsel a rising ecosystem of operators leveraging SURXRAT for Android surveillance and monetary fraud operations.

SURXRAT V5 supplies a complete surveillance and remote-control function set in line with fashionable Android RATs. The performance signifies a powerful emphasis on knowledge harvesting, machine monitoring, and full distant manipulation.

Knowledge Assortment and Surveillance Options

The malware allows in depth extraction of delicate consumer data, together with:

• SMS monitoring
• Contact record and name logs
• System data and put in purposes
• Gmail account knowledge
• Gadget location monitoring
• Community and connectivity data
• Notification interception
• Clipboard monitoring
• Internet searching historical past
• Mobile tower intelligence
• WiFi scanning and connection historical past
• Full file supervisor entry

This stage of visibility permits attackers to carry out credential harvesting, OTP interception, profiling, and reconnaissance for secondary fraud operations.

Distant Gadget Management Capabilities

SURXRAT extends past passive surveillance by enabling attackers to control compromised units actively:

• Distant machine unlocking
• Triggering cellphone calls
• Wallpaper modification by way of distant URL
• Distant audio playback
• Community lag manipulation
• Push notification supply
• Compelled web site opening
• Flashlight activation
• Gadget vibration management
• On-screen textual content overlays
• Gadget locking utilizing attacker-defined PIN
• Full storage wipe performance

Throughout evaluation of the SURXRAT pattern, references to ArsinkRAT have been discovered within the supply code, suggesting a developmental relationship between the 2 malware households. In January 2026, Zimperium reported a rise in exercise related to ArsinkRAT campaigns focusing on Android units.

A comparative evaluation signifies notable purposeful and structural similarities between SURXRAT and ArsinkRAT, suggesting that the risk actor possible leveraged the ArsinkRAT supply code. Utilizing this basis, an enhanced variant incorporating further capabilities and up to date options was subsequently developed.

This evolution highlights how present Android RAT frameworks proceed to be repurposed and expanded by risk actors, accelerating malware improvement cycles and enabling speedy introduction of latest surveillance and management functionalities.

Throughout our evaluation of the newest SURXRAT variant, we recognized a deliberate mechanism to control community lag. The malware initiates the obtain of a big LLM module (>23GB) hosted on Hugging Face. This method is very atypical for a mobile-based machine.

Notably, this obtain is conditionally triggered when particular gaming purposes are lively on the sufferer’s machine, particularly Free Hearth MAX x JUJUTSU KAISEN (com.dts.freefiremax) and Free Hearth x JUJUTSU KAISEN (com.dts.freefireth), or when the malware receives different goal bundle names dynamically from the risk actor–managed server.

This means that the obtain habits is remotely configurable, permitting operators to provoke the module retrieval based mostly on purposes specified by way of backend instructions.

Whereas downloading a mannequin of this measurement on a cellular machine might initially seem impractical, the noticed habits signifies intentional implementation somewhat than a misconfiguration. The LLM module seems to be beneath lively improvement and could also be leveraged to:

• Intentionally introduce machine or community latency throughout gameplay, probably supporting paid dishonest or disruption providers
  masks malicious background exercise by degrading total machine efficiency, main customers to attribute irregular habits to system points somewhat than malware
  allow future AI-driven capabilities, comparable to automated interactions or adaptive social engineering methods

The selective and conditional deployment of this module means that the risk actor is actively experimenting with AI-based elements to boost monetization methods, enhance evasion methods, and develop operational capabilities.

Technical Evaluation

Upon execution, the malware prompts the sufferer to grant a number of high-risk permissions, together with entry to location providers, contacts, SMS messages, and machine storage.

Following preliminary permission approval, the malware shows further prompts guiding the consumer to allow Accessibility Companies. This generally abused Android function permits purposes to watch display screen content material and carry out automated actions. The abuse of accessibility permissions considerably will increase attacker management, enabling surveillance and facilitating additional malicious operations with out steady consumer interplay.

After buying the required permissions, SURXRAT establishes communication with a backend infrastructure hosted on a Firebase Realtime Database:

hxxps://xrat-sisuriya-default-rtdb.firebaseio[.]com

The malware connects utilizing a database reference labeled “arsinkRAT,” additional reinforcing the developmental linkage between SURXRAT and the beforehand noticed ArsinkRAT malware household.

As soon as connectivity is established, the malware performs machine registration by producing a random UUID, which serves as a novel identifier for monitoring contaminated units. Following registration, SURXRAT instantly begins exfiltrating delicate data to the Firebase backend.

The malware collects and transmits a variety of sufferer knowledge, enabling complete machine profiling. Exfiltrated data contains:

• Contact lists
• SMS messages
• Name logs
• Gadget model and mannequin
• Android OS model
• Battery stage and standing
• SIM card particulars
• Community data
• Public IP deal with

This dataset permits attackers to uniquely establish victims, monitor communications, and put together follow-on fraud or surveillance actions comparable to OTP interception and account takeover.

After profitable machine registration, SURXRAT launches a persistent background service that maintains steady communication with the Firebase command-and-control (C&C) infrastructure and receives instructions. The malware initializes a number of inside supervisor courses that deal with surveillance, machine management, and knowledge assortment.

The contaminated machine periodically sends standing updates to the backend whereas concurrently polling for incoming instructions issued by the operator. This close to real-time synchronization allows attackers to execute actions on compromised units remotely with minimal delay.

Evaluation of command handlers revealed a number of directions obtained from the Firebase backend that permit attackers to carry out surveillance and lively machine manipulation:

The determine under reveals the admin panel picture shared on the risk actor’s Telegram account, highlighting the assorted actions and controls accessible by way of SURXRAT.

Display screen Locker Exercise

The SURXRAT pattern additionally comprises a ransomware-style display screen locker module that enables a distant attacker to grab management of the sufferer’s machine and briefly deny entry to it. When activated, the malware forces the machine to show a persistent full-screen lock message that the consumer can not simply dismiss. The attacker can remotely customise each the displayed message and the unlock PIN, enabling them to demand a ransom cost immediately from the sufferer.

The malware repeatedly stories consumer interactions again to the attacker’s server. Every incorrect PIN entry is transmitted to the backend, permitting the operator to watch sufferer habits and response makes an attempt in actual time. The lock display screen will also be remotely eliminated by the attacker, giving them full management over when the machine turns into usable once more. General, this performance seems supposed to coerce victims by way of disruption and intimidation, in the end facilitating ransom-based monetization.

The combination of ransomware-style locking right into a surveillance RAT signifies hybrid monetization, permitting operators to change between espionage, fraud, and direct extortion based mostly on the worth of the sufferer.

Conclusion

SURXRAT represents a notable evolution in Android malware, combining MaaS-style commercialization, cloud-based command infrastructure, and modular capabilities right into a single adaptable risk platform. The malware’s in depth surveillance options, real-time distant management capabilities, and ransomware-style machine locking display a shift towards multi-functional cellular threats designed for versatile monetization.

The noticed experimentation with giant AI mannequin integration additional signifies that risk actors are actively exploring rising applied sciences to boost operational effectiveness and evade detection. As Android malware ecosystems proceed to mature, threats like SURXRAT spotlight the rising accessibility of superior cellular assault capabilities to a broader cybercriminal viewers, reinforcing the necessity for improved cellular risk visibility, behavioral detection, and consumer consciousness.

Prevention is good, nevertheless it isn’t all the time an possibility. Risk Intelligence platforms comparable to Cyble Imaginative and prescient present customers with perception into their digital danger profile and might notify them of any breaches or unauthorized entry, enabling them to take speedy corrective motion.

Our Suggestions

We’ve listed some important cybersecurity finest practices that function the primary line of protection towards attackers. We advocate that our readers comply with the most effective practices given under:

• Set up Apps Solely from Trusted Sources:
  Obtain apps completely from official platforms, such because the Google Play Retailer. Keep away from third-party app shops or hyperlinks obtained by way of SMS, social media, or e-mail.
• Be Cautious with Permissions and Installs:
  By no means grant permissions and set up an utility except you’re sure of an app’s legitimacy.
• Look ahead to Phishing Pages:
  All the time confirm the URL and keep away from suspicious hyperlinks and web sites that ask for delicate data.
• Allow Multi-Issue Authentication (MFA):
  Use MFA for banking and monetary apps so as to add an additional layer of safety, even when credentials are compromised.
• Report Suspicious Exercise:
  Should you suspect you’ve been focused or contaminated, report the incident to your financial institution and native authorities instantly. If vital, reset your credentials and carry out a manufacturing unit reset.
• Use Cellular Safety Options:
  Set up a cellular safety utility that features real-time scanning.
• Preserve Your Gadget Up to date:
   Guarantee your Android OS and apps are up to date frequently. Safety patches typically deal with vulnerabilities exploited by malware.

MITRE ATT&CK® Methods

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please evaluation and combine them into your Risk Intelligence feed to boost safety and enhance your total safety posture.