SURXRAT, an Android Remote Access Trojan (RAT), has come out as a commercially structured malware operation. Distributed under the branding “SURXRAT V5,” the malware is sold through a Telegram-based malware-as-a-service (MaaS) network that enables affiliates to generate customized builds while the core operator retains centralized infrastructure and oversight. 

Cyble Research and Intelligence Labs (CRIL) have identified more than 180 related SURXRAT samples. The Telegram channel promoting SURXRAT was created in late 2024, suggesting that development likely began in early 2025. The suspected Indonesian threat actor regularly posts updates, feature announcements, and operational metrics des...