Rafel RAT¶
Rafel RAT is an open-source Android remote access trojan documented by Check Point Research in June 2024 after observing over 120 distinct campaigns leveraging the tool across multiple countries. Originally built for espionage, Rafel RAT has been adopted by a wide range of threat actors, from state-sponsored groups like APT-C-35 (DoNot Team) to financially motivated operators deploying its ransomware module. Its open-source availability, PHP-based C2 panel, and broad feature set covering data exfiltration, SMS theft, location tracking, file encryption, and device wiping make it one of the most widely deployed Android RATs in recent years.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | Campaigns observed over approximately two years prior to June 2024 disclosure |
| Status | Active, open-source and widely available |
| Type | Remote access trojan, espionage, ransomware |
| Attribution | Multiple actors; notably APT-C-35 (DoNot Team), Iran-based ransomware operators |
| Aliases | Rafel, Rafel RAT |
| Language | Java (implant), PHP (C2 panel) |
| Source Code | Publicly available on GitHub (swagkarna/Rafel-Rat and forks) |
| Distribution | Social engineering, phishing via SMS/WhatsApp/Telegram, fake app lures |
Origin and Lineage¶
Rafel RAT is written in Java with a PHP web panel for command and control. The source code is publicly hosted on GitHub, making it freely available for any threat actor to clone, modify, and deploy. This zero-cost, zero-barrier accessibility has driven adoption across an unusually broad spectrum of operators, from sophisticated espionage groups to opportunistic cybercriminals with minimal technical skill.
Check Point Research collected samples and identified around 120 C2 servers supporting campaigns spanning approximately two years before the June 2024 disclosure. The tool's open-source nature means individual campaigns vary significantly in sophistication, targeting, and objectives. Some operators use Rafel RAT as a straightforward data exfiltration tool, while others have leveraged its ransomware module for extortion.
Unlike commercial Malware-as-a-Service (MaaS) operations where a central developer maintains the codebase and sells access, Rafel RAT has no support infrastructure. Each operator is responsible for standing up their own C2 panel, customizing the implant, and handling distribution. This creates a highly fragmented ecosystem where dozens of independent campaigns run simultaneously with no coordination between them.
APT-C-35 Adoption¶
APT-C-35 (DoNot Team), a South Asian threat group known for espionage operations primarily targeting Pakistan and neighboring countries, was identified by Check Point as one of the actors deploying Rafel RAT. DoNot Team's adoption of an open-source tool alongside their custom malware demonstrates how freely available RATs lower the cost of operations even for groups capable of developing their own tooling. Using a widely shared tool also provides attribution cover, since the same malware is in use by dozens of unrelated actors.
Distribution¶
Rafel RAT relies on social engineering to reach victims. The malware impersonates widely recognized applications including Instagram, WhatsApp, e-commerce platforms, antivirus programs, and device support apps. Operators distribute malicious APKs through phishing campaigns on WhatsApp, Telegram, and SMS, directing victims to download and install the fake application.
| Vector | Details |
|---|---|
| Fake applications | Disguised as Instagram, WhatsApp, e-commerce apps, antivirus tools, support utilities, banking apps |
| Phishing messages | Distributed via SMS, WhatsApp, and Telegram with links to malicious APKs |
| Social engineering | Victims manipulated into granting intrusive permissions post-installation |
| Institutional impersonation | Fake messages from banks, educational institutions, and IT departments |
Zimperium documented campaigns using carefully crafted phishing emails disguised as urgent security alerts from banks, directing targets to fake login pages that also triggered the Rafel RAT download. Other campaigns impersonated corporate IT departments, urging employees to install "critical security updates" that were actually the implant.
Because the builder is free and each operator handles their own distribution, the delivery channels are as varied as the actors. Some campaigns target specific organizations in specific countries; others cast a wide net with generic app lures.
Android Version Targeting¶
Over 87.5% of infected devices were running outdated Android versions that no longer receive security patches. Check Point's analysis of victim devices revealed a clear pattern: operators specifically benefit from the weakened security posture of end-of-life devices where the permission model provides fewer safeguards.
| Android Version | Share of Infections | Notes |
|---|---|---|
| Android 11 | 21.4% | Most prevalent single version |
| Android 5 (Lollipop) | ~18% | End-of-life, no security patches since 2018 |
| Android 8 (Oreo) | Third most common | End-of-life |
| Android 6-10 | ~48% combined | Almost half of all infections |
| Android 12-13 | 12.5% | Only fraction running supported versions |
The malware is compatible with Android versions 5 through 12. On older versions, the runtime permission model is less restrictive, making it easier for the malware to obtain broad access without triggering the same level of user prompts present on newer Android releases. Devices running Android 5 and 6 lack scoped storage, runtime permission controls introduced in Android 6+ are less mature, and DeviceAdmin restrictions added in later versions are absent.
Device Manufacturers¶
Samsung devices comprised the largest share of victims, followed by Xiaomi, Vivo, and Huawei handsets. Google Pixel and Nexus devices also appeared among the infected population. The manufacturer distribution largely mirrors global Android market share rather than indicating specific vendor targeting.
Capabilities¶
Core Features¶
| Capability | C2 Command | Implementation |
|---|---|---|
| SMS theft | sms_oku |
Exfiltrates all SMS messages including 2FA codes to C2 |
| Location tracking | location_tracker |
Continuous live device location reporting |
| Contact exfiltration | Harvests the victim's full phone book | |
| Call log theft | Extracts and exfiltrates call history | |
| Device info collection | Gathers identifiers, locale, carrier, model, root status, battery, memory | |
| Installed app enumeration | Lists all applications installed on the device | |
| File exfiltration | Steals files from device storage | |
| Notification siphoning | Intercepts and forwards notifications, capturing authentication codes | |
| SD card wipe | Destructive capability to erase external storage | |
| Call log deletion | Removes call history to cover tracks | |
| Screen lock | LockTheScreen |
Locks device screen, rendering it unusable |
| Ransomware | ransomware |
AES encryption of files with lock screen manipulation |
| Wallpaper manipulation | Changes device wallpaper to display ransom note or custom message | |
| Device vibration | Activates vibration, used alongside ransom delivery |
On initial infection, the implant transmits a device fingerprint to the C2 server containing device identifiers, model, OS version, locale, country, carrier details, root status, battery level, and available memory. The C2 server then responds with commands to execute on the device.
Ransomware Module¶
The ransomware capability is particularly notable because mobile ransomware remains uncommon compared to desktop variants. Check Point observed that approximately 10% of campaigns issued the ransomware command, indicating that while most operators use Rafel RAT for surveillance and data theft, a meaningful subset deploy it for extortion.
The ransomware module operates in multiple stages:
- File encryption: Uses AES encryption with a pre-defined key to encrypt files on device storage
- Lock screen takeover: If DeviceAdmin privileges are granted, changes the device lock screen password to prevent victim access
- Wallpaper replacement: Changes the device wallpaper to display a ransom demand
- Ransom note delivery: Sends an SMS to the victim containing the ransom note and instructions
- Anti-recovery: If the victim attempts to revoke DeviceAdmin privileges, the module immediately changes the password and locks the screen
The use of a pre-defined AES key rather than per-victim asymmetric encryption is a significant weakness. If the key is extracted from a sample (trivial given the open-source code), all files encrypted by that build can be decrypted. Operators who do not modify the default encryption key in the source code before building their payload leave their victims' files recoverable through static analysis of the APK.
Espionage Operations¶
When used by APT-C-35, Rafel RAT functions as a comprehensive espionage platform. The combination of SMS theft, contact harvesting, location tracking, call log exfiltration, and notification interception provides full surveillance of the target's communications and movements. The ability to enumerate installed applications also enables operators to profile the target's device usage and identify additional collection opportunities.
The espionage use case does not require the ransomware or destructive capabilities. Operators configure the implant to run silently, collecting and exfiltrating data without any visible indicator to the victim. This contrasts with the ransomware use case, where the operator deliberately makes the infection visible as part of the extortion.
Technical Details¶
C2 Communication¶
Rafel RAT primarily uses HTTP(S) for command-and-control communication. The communication flow starts with the implant sending a device registration request containing the fingerprint data, then polling the C2 server for commands via a PHP endpoint (commands.php).
| C2 Method | Details |
|---|---|
| HTTP(S) | Primary channel; implant polls PHP-based panel for commands |
| Discord API | Alternative channel using Discord servers for receiving exfiltrated data and issuing commands |
| PHP panel | Web-based management interface with JSON file storage (no database required) |
The C2 infrastructure is lightweight by design. The PHP panel runs on any standard web hosting that supports PHP, with no database dependency. All data storage uses JSON files, making deployment trivial but also limiting scalability for large botnets. Operators can deploy a functional C2 server by uploading the PHP files to any hosting provider and configuring the login.php credentials. The hosting should use HTTPS with a valid certificate to avoid triggering network-level warnings.
The Discord API integration provides an alternative exfiltration channel. Operators can configure the implant to send stolen data to Discord servers and receive commands through Discord's messaging infrastructure. This abuses Discord's legitimate infrastructure as a C2 relay, making network-level blocking more difficult since Discord traffic is common on most networks.
Builder and Panel¶
The Rafel RAT builder allows operators to generate customized APKs without Android development knowledge. The configuration process involves:
| Parameter | Description |
|---|---|
| C2 URL | The WebPanel URL pointing to the operator's PHP panel |
| App name | Display name for the disguised application |
| App icon | Custom icon to impersonate a legitimate app |
| Package name | Android package identifier for the generated APK |
| Permissions | Which device permissions to request on install |
The PHP panel provides a web dashboard where operators can view all connected devices, their status, device details, and issue commands individually or in bulk. Newer versions of the panel include extended functionality, though the core architecture remains the same lightweight PHP-with-JSON-storage design.
DeviceAdmin Abuse¶
Rafel RAT requests DeviceAdmin privileges during installation, which if granted provide elevated control over the device. With DeviceAdmin access, the malware can change the lock screen password, lock the device remotely, and resist uninstallation by preventing the victim from revoking admin privileges. This is critical for the ransomware module, which uses DeviceAdmin to enforce the lock screen ransom note and prevent the victim from regaining device access without paying.
On Android versions before 9 (Pie), DeviceAdmin provided broader capabilities and was harder to revoke. Starting with Android 9, Google began deprecating certain DeviceAdmin APIs and on Android 10+, DeviceAdmin can no longer reset screen lock passwords unless the device uses no current password or PIN. This means the ransomware lock screen capability is most effective on older Android versions, which aligns with the observed victim profile of 87.5% running Android 11 or below.
Persistence¶
The malware uses social engineering at install time to obtain broad permissions, and DeviceAdmin enrollment makes removal difficult without factory reset. On outdated Android versions (which represent over 87% of victims), the permission model provides fewer safeguards against granting these privileges. The implant also requests exemption from battery optimization to prevent the OS from killing background services, and adds itself to the battery optimization whitelist to maintain persistent background execution.
C2 Infrastructure¶
Check Point identified approximately 120 C2 servers across the observed campaigns. The infrastructure is fragmented, with each operator running their own panel independently. The low cost of deploying a Rafel C2 panel (any PHP-capable hosting) means servers are disposable and frequently rotated.
Pakistan Government Website Compromise¶
One of the more notable infrastructure findings involved a compromised Pakistani government website that had a Rafel web panel installed on it. The panel was installed on May 18, 2024, though traces of the compromise date back to April 2023. Infected devices were reporting to this government server as their C2. A hacker using the handle @LoaderCrazy announced the compromise on the Telegram channel @EgyptHackerTeam. Hosting C2 infrastructure on a compromised government domain provides the attacker with a trusted domain reputation and makes network-level blocking more difficult for defenders.
Target Regions¶
Check Point identified campaigns spanning a wide geographic range, with some successfully targeting high-profile organizations in government and military sectors.
| Region | Countries |
|---|---|
| North America | United States (most targeted country) |
| East Asia | China (second most targeted) |
| Southeast Asia | Indonesia (third most targeted) |
| Western Europe | France, Germany, Italy |
| South Asia | India, Pakistan (overlapping with APT-C-35 operations) |
| Eastern Europe | Russia, Romania, Czechia |
| Oceania | Australia, New Zealand |
The concentration of victims in the United States, China, and Indonesia reflects both the large Android user bases in those countries and the opportunistic nature of most campaigns. The South Asian targeting is more deliberate, overlapping with APT-C-35's known operational focus on Pakistan. The majority of victims appear to be individuals running outdated Android devices, though government and military personnel were also among the compromised targets.
Notable Campaigns¶
APT-C-35 espionage operations: Check Point identified campaigns attributed to APT-C-35 (DoNot Team), a South Asian espionage group known for targeting Pakistan's government and military. DoNot Team's adoption of an open-source tool alongside their custom malware demonstrates how freely available RATs reduce operational costs and provide attribution cover even for sophisticated actors. The group used Rafel RAT for intelligence collection, leveraging the full surveillance suite of SMS interception, location tracking, contact harvesting, and notification siphoning.
Iran-based ransomware campaign: An operator likely originating from Iran deployed Rafel RAT's ransomware module against victims in Pakistan. The attacker followed a two-phase approach: first executing standard information-gathering commands to profile the victim, then transitioning to ransomware. The campaign wiped call history, changed the device wallpaper to a custom ransom demand, locked the screen, activated device vibration, and sent an SMS ransom note written in Arabic instructing the victim to contact them via a Telegram channel. This represents one of the more brazen documented uses of mobile ransomware in the wild.
Pakistan government server compromise: A threat actor operating under the handle @LoaderCrazy compromised a Pakistani government website and installed a Rafel C2 panel on it, with infected devices from multiple countries (United States, Russia, China, Romania) reporting to the government server. The compromise was announced on the Telegram channel @EgyptHackerTeam. The panel installation was traced to May 2024, with earlier indicators of compromise dating to April 2023.
June 2024 disclosure: Check Point Research published comprehensive analysis documenting approximately 120 campaigns, around 120 C2 servers, and samples spanning multiple countries and threat actor profiles. The Hacker News, BleepingComputer, and Bitdefender published follow-up analyses. The report highlighted the convergence of espionage and ransomware operations within a single open-source tool, drawing significant industry attention to the threat posed by freely available mobile malware.
Comparison to Other Open-Source Android RATs¶
Rafel RAT exists in an ecosystem of open-source Android RATs, each with different capabilities and adoption profiles.
| RAT | Language | C2 Type | Ransomware | Builder GUI | Key Differentiator |
|---|---|---|---|---|---|
| Rafel RAT | Java + PHP | PHP web panel (JSON) | Yes | Web-based config | Ransomware module, widest documented deployment |
| SpyNote | Java | Custom TCP | No | Windows desktop | VNC-like remote control, banking trojan extensions post-leak |
| AhMyth | Java + Electron | Electron desktop panel | No | Desktop GUI | Simplest setup, most bugs, limited to basic RAT functions |
| DroidJack | Java | Custom protocol | No | Windows desktop | Discontinued but still circulated, was commercially sold |
| AndroRAT | Java | Java desktop | No | Desktop GUI | One of the earliest Android RATs (2012), largely obsolete |
Rafel RAT's distinguishing characteristics are the ransomware module (unique among widely deployed open-source Android RATs), the web-based PHP panel (no desktop client needed, deployable on any hosting), and the sheer scale of documented adoption. SpyNote surpasses Rafel RAT in raw capability with its VNC-like screen streaming and banking trojan overlays, but Rafel RAT's simpler architecture and web-based panel lower the barrier for operators with minimal infrastructure.
The open-source model contrasts sharply with MaaS operations like Hook, Octo, and Cerberus, which provide polished panels, customer support, and regular updates in exchange for monthly fees. Rafel RAT offers no support, no updates beyond community forks, and no quality control. The tradeoff is zero cost and zero operational security risk from interacting with underground marketplace vendors.
Related Families¶
The ransomware capability sets Rafel RAT apart from most Android banking trojans. While families like Brata include destructive device wipe features as anti-forensics measures, Rafel RAT's ransomware module is designed for extortion with file encryption, ransom notes, and lock screen manipulation.
As an espionage tool used by APT-C-35, Rafel RAT operates in the same category as SpyNote, another Android RAT frequently used by threat actors for surveillance operations. Both provide comprehensive device monitoring capabilities, though SpyNote is typically deployed in more targeted operations and has evolved into a banking trojan with overlay capabilities. Rafel RAT's open-source nature has enabled broader, less discriminate campaigns.
GuardZoo, another Android surveillance tool targeting military personnel in the Middle East, shares operational similarities with Rafel RAT's espionage deployments. Both target government and military personnel in the same geographic regions, though GuardZoo is more narrowly focused while Rafel RAT's operator base spans from espionage to ransomware.
References¶
- Check Point Research - Rafel RAT, Android Malware from Espionage to Ransomware Operations (June 2024)
- BleepingComputer - Rafel RAT targets outdated Android phones in ransomware attacks (June 2024)
- The Hacker News - Multiple Threat Actors Deploying Open-Source Rafel RAT (June 2024)
- Bitdefender - Rafel RAT: A Pest Invading Droid Systems (July 2024)
- Zimperium - Phishing Campaigns and Rafel RAT: A Dangerous Duo (2024)
- Zimperium - Unmasking Rafel RAT: Android Infiltration Campaign (2024)
- Security Affairs - 120 malicious campaigns using Rafel RAT (June 2024)