Understanding SURXRAT: The New Android Remote Access Trojan
Overview of SURXRAT
SURXRAT has emerged as a notably structured Android Remote Access Trojan (RAT), marketed under the label “SURXRAT V5.” This malware operates through a Telegram-based malware-as-a-service (MaaS) network, allowing affiliates to create personalized versions while the primary operator maintains control over the essential infrastructure.
Rise of the Malware
Recent research from Cyble Research and Intelligence Labs (CRIL) indicates the existence of over 180 unique samples of SURXRAT. The Telegram channel promoting this malware surfaced in late 2024, hinting that its coding likely commenced in early 2025. An Indonesian threat actor is suspected to be behind the operations, routinely updating their followers with feature announcements and operational metrics aimed at recruiting resellers and partners, rather than executing direct attacks.
What Is SURXRAT?
SURXRAT operates on a commercially viable model featuring two licensing tiers under a “Ready Plan” approach.
Licensing Tiers Explained
-
Reseller Plan: For a one-time fee of 200,000, this plan provides permanent access, allowing users to generate up to three software builds daily. It includes free server updates and enables sellers to distribute SURXRAT builds per specified pricing guidelines.
-
Partner Plan: Priced at 500,000, the Partner Plan extends the daily build limit to ten accounts, maintains server upgrade options, and allows users to develop their own reseller networks. Both tiers emphasize a one-time payment system, effectively eliminating recurring subscription fees.
Growth and Credibility
In January 2026, activity on the Telegram channel showed an “Active” bot status, claiming to have attracted 1,318 registered accounts. While verifying these figures remains challenging, such disclosures are often employed in underground markets to validate effectiveness and foster trust among potential buyers.
Technical Foundations
Analysis of SURXRAT’s code suggests a direct lineage to ArsinkRAT, with references to it embedded within the source code. Structural resemblances bolster this connection. Increased cybersecurity activity surrounding ArsinkRAT campaigns targeting Android devices was also noted in early 2026.
Evolution of Malware Code
The functional similarities imply that SURXRAT has not only repurposed but also enhanced the earlier ArsinkRAT framework, expediting its development while integrating new functionalities. This highlights how established RAT frameworks, such as ArsinkRAT, continue to provide a foundation for new threats like SURXRAT.
Unique Capabilities: Conditional LLM Module Downloads
Among the more unusual features in recent SURXRAT samples is its ability to conditionally download a large LLM (Large Language Model) module, reaching sizes over 23GB from Hugging Face repositories. This atypical deployment method suggests intentional design, particularly activating when specific gaming applications are in use.
Trigger Mechanisms and Uses
The download can be triggered by certain gaming apps, including Free Fire MAX x JUJUTSU KAISEN. Alternatively, commands from an attacker-controlled backend can dynamically alter the trigger conditions. Researchers believe that the LLM module could serve multiple experimental purposes:
- Disruption: It may introduce latency during gameplay, which could support cheating services.
- Concealment: It could degrade device performance, leading victims to misattribute issues to device problems rather than SURXRAT activity.
- Future Integrations: The use of such a module hints at potential for future AI-assisted automation and enhanced evasion tactics.
Continuous Surveillance and Control
Beyond its AI capabilities, SURXRAT functions as a full-featured surveillance tool. Upon installation, it prompts victims to enable high-risk permissions, gaining access to personal information such as location, contacts, and SMS messages. It often nudges users to activate Android Accessibility Services, a commonly exploited feature enabling malware to monitor user activity.
Data Exfiltration and Command Execution
After securing permissions, SURXRAT establishes a connection to a Firebase Realtime Database labeled “arsinkRAT,” reinforcing its ties to previous malware. The system collects a wide range of personal data, including SMS logs, call histories, and Wi-Fi history, which can be utilized for credential harvesting or financial fraud.
SURXRAT maintains a persistent background service that connects to its command-and-control infrastructure, enabling real-time command execution. The operators have capabilities including recording audio, capturing images, and executing remote commands like sending SMS or initiating phone calls.
Coercion and Extortion Features
Additionally, SURXRAT features a ransomware-like screen locker that can display a full-screen message, demanding a PIN for access. Any incorrect attempts are logged and sent back to the operator’s backend for monitoring, which allows operators to shift between surveillance, fraud, and direct extortion strategies based on the value of their targets.
As the landscape of mobile cybersecurity continues to evolve, understanding threats like SURXRAT is crucial in safeguarding against potential attacks. Keeping devices updated and utilizing security measures can offer a significant defense against such sophisticated malware.
