Multiple Threat Actors Deploying Open-Source Rafel RAT to Target Android Devices
What is Rafel RAT?
Rafel RAT is an open-source Android malware tool used by multiple threat actors for remote administration and control of infected devices. It enables a range of malicious activities, including data theft and device manipulation. The malware can exfiltrate sensitive information such as contact details, SMS messages, location data, call logs, and installed applications. It primarily uses HTTP(S) for command-and-control communications and comes with a PHP-based panel for issuing commands to compromised devices.
Which cyber espionage group has used Rafel RAT?
The cyber espionage group that has used Rafel RAT is the DoNot Team (aka APT-C-35, Brainworm, and Origami Elephant).
Which countries were targeted by these Rafel RAT campaigns?
The Rafel RAT campaigns targeted various countries, including Australia, China, Czechia, France, Germany, India, Indonesia, Italy, New Zealand, Pakistan, Romania, Russia, and the U.S. The majority of victims had Samsung phones, while Xiaomi, Vivo, and Huawei users comprised the second-largest group among the targeted victims1.