[EVLF DEV Ecosystem Timeline] Cypher Rat (Early Foundation) ──> Web Store Launch (2022) ──> CraxsRAT Evolution ──> Takedown/Retirement (2023)
: Beginning in at least September 2022, EVLF managed a surface web store and a Telegram channel called "EvLF Devz" to market cyber weapons.
Following this public exposure and the subsequent freezing of associated digital assets, EVLF posted a final announcement to their primary Telegram channel stating they would cease active development and support for the tools due to personal circumstances. However, because dozens of active and cracked versions of the Cypher RAT and CraxsRAT source code remain publicly archived on community code repositories, the variants continue to be heavily deployed by independent global cybercriminals. Cypher Rat Evlf
Every stroke on the virtual keyboard is logged and transmitted back to the command-and-control (C2) server. This allows attackers to harvest mobile banking logins, social media passwords, and private corporate credentials as the user types them. 3. Total Data Exfiltration
The malware can stream the device's screen and activate both the front and back cameras in real-time. [EVLF DEV Ecosystem Timeline] Cypher Rat (Early Foundation)
Cypher Rat Evlf is a refined, full-featured Android RAT designed to provide threat actors with total control over a compromised device. It is often distributed via targeted phishing campaigns, malicious in-app advertisements, and disguised as legitimate apps on third-party marketplaces.
Without additional context, “Cypher Rat Evlf” is likely: Every stroke on the virtual keyboard is logged
A detailed investigation by cybersecurity firm CYFIRMA successfully pierced this anonymity. Threat intelligence researchers traced EVLF DEV's infrastructure, forum footprints, and a poorly secured video tutorial where the developer accidentally exposed personal email addresses. Key discoveries regarding the operator include:
Identified by researchers as Mohammed Naser Alfirtosy . Origin: Based in Syria for over 8 years.
To defend against threats like CypherRAT, security firms like Cyfirma and Group-IB suggest: