Identified by researchers as Mohammed Naser Alfirtosy . Origin: Based in Syria for over 8 years.
Cypher RAT EVLF is a sophisticated RAT that employs advanced evasion techniques to evade detection. Our proposed approach combines machine learning and behavioral analysis to detect and mitigate this threat. The results show that our approach is effective in detecting Cypher RAT EVLF and can be used to improve the security of computer systems.
: Exfiltrating contacts, messages, call logs, and device storage.
The threat actor actively developed and maintained mobile malware platforms for nearly a decade. Cypher Rat Evlf
Cypher Rat is an Android-based Remote Access Trojan (RAT) that has been active in the wild since approximately 2021. It is notable for its focus on accessibility services abuse to perform on-device fraud and surveillance without root privileges.
Future research directions include:
“Cypher Rat Evlf” as of late 2026 remains an empty signifier. It is not a virus, a game, a book, or a person. It could become one tomorrow—a developer might name an open-source tool that, an artist could adopt it as a moniker. Until then, treat it as linguistic noise. If you are the author of this term, consider leaving a digital trace (a Pastebin, a Github Gist, a Reddit post) to ground its meaning. Without a trail, even the most intriguing cypher is just a rat lost in the machine. Identified by researchers as Mohammed Naser Alfirtosy
Cypher RAT EVLF is a .NET-based RAT that uses a combination of anti-debugging and evasion techniques to evade detection by traditional security software. It communicates with its Command and Control (C2) server using HTTP and HTTPS protocols, making it challenging to detect using traditional network-based intrusion detection systems.
It effortlessly extracts personal file storage, precise GPS locations, full contact lists, call logs, and SMS messages.
The malware can steal contacts, read and delete SMS messages, and access call logs and external storage. The threat actor actively developed and maintained mobile
According to research from firms like CYFIRMA and ThreatFabric, the malware uses several advanced techniques to remain hidden:
Unauthorized monitoring of location and activity.