SURXRAT Malware Evolution: ArsinkRAT Roots to LLM Module Download Capability Expansion
A significant advancement in SURXRAT, an Android Remote Access Trojan (RAT) that’s rapidly evolving from its ArsinkRAT origins into a more sophisticated threat.
Recent analysis reveals that this malware, distributed via a Telegram-based malware-as-a-service (MaaS) model, now includes conditional downloads of massive large language model (LLM) modules over 23GB from external repositories like Hugging Face.
This points to experimental expansions in AI-driven capabilities, potentially for performance sabotage, evasion, or novel attack vectors.
SURXRAT operates as a full-featured surveillance and control platform. It abuses Android’s Accessibility Services to obtain persistent access, enabling it to monitor screens, simulate inputs, and execute commands without ongoing user approval.
Once installed, it registers the device with a Firebase Realtime Database C2 server (e.g., hxxps://xrat-sisuriya-default-rtdb.firebaseio[.]com) using a generated UUID.
This setup blends malicious traffic with legitimate cloud services, evading basic network filters. The database reference “arsinkRAT” directly ties it to the earlier ArsinkRAT family, with shared code strings, structures, and functions confirming evolutionary reuse. Attackers forked and enhanced the base for faster iteration.
Core capabilities center on data exfiltration and remote manipulation. SURXRAT harvests SMS, contacts, call logs, Gmail data, location, browser history, clipboard contents, and even cellular tower/WiFi details.
SURXRAT SPY Commands
It runs persistent background services for real-time polling of operator commands, enabling near-instant responses.
| Spy Commands | Description |
|---|---|
| accounts | Extracts Google account details |
| apps_list | Lists installed apps |
| device_info | Gathers hardware/OS metadata |
| audio_record | Captures microphone audio |
| contacts | Pulls contact lists |
| sms_read | Reads all SMS |
| location | Tracks GPS position |
SURXRAT RAT Commands
| RAT Commands | Description |
|---|---|
| access | Monitors clipboard |
| unlock | Bypasses device locks |
| call | Dials numbers remotely |
| Lock | Activates screen locker |
| file_delete | Wipes storage |
| wal | Changes wallpaper via URL |
| Brow | Steals browser history |
A standout feature is the ransomware-style screen locker. Triggered remotely, it overlays a full-screen PIN prompt with customizable ransom messages.
Failed attempts log back to the C2, letting operators track victim frustration in real time before unlocking hybridizing espionage with extortion.
The latest news reported in cyble, conditional LLM downloads. When specific apps like Free Fire MAX (com.dts.freefiremax) or Free Fire (com.dts.freefireth) run or via dynamic C2 targets SURXRAT fetches enormous LLM files.
This isn’t accidental; it’s deliberate, remotely configurable, and targets gaming sessions. Possible goals include injecting latency to disrupt play (e.g., for cheat services), masking RAT activity amid performance woes, or prepping AI for automated phishing/social engineering.
On resource-strapped mobiles, such downloads could cripple devices, forcing resets that aid persistence. This evolution underscores Android RAT maturation.
Firebase C2 ensures reliability, while MaaS tiers (reseller limits at 3 builds/day, partner at 10) scale distribution without central ops. Over 180 samples since late 2024 show active iteration, with January 2026 stats boasting 1,318 bots.
Defenders should prioritize behavioral detection: watch for Accessibility abuse, anomalous Firebase traffic, and gaming app-triggered downloads.
Tools scanning for UUID registrations or command polling can flag infections early. As SURXRAT blends RAT stealth, ransomware muscle, and AI experimentation, it signals a broader trend of mobile threats leveraging cloud infra and emerging tech for multifaceted attacks.
Site: cybersecuritypath.com
About the Author
