Rafel RAT is an open-source Android malware tool used by multiple threat actors for remote administration and control of infected devices. It enables a range of malicious activities, including data theft and device manipulation. The malware can exfiltrate sensitive information such as contact details, SMS messages, location data, call logs, and installed applications. It primarily uses HTTP(S) for command-and-control communications and comes with a PHP-based panel for issuing commands to compromised devices.
The cyber espionage group that has used Rafel RAT is the DoNot Team (aka APT-C-35, Brainworm, and Origami Elephant).
The Rafel RAT campaigns targeted various countries, including Australia, China, Czechia, France, Germany, India, Indonesia, Italy, New Zealand, Pakistan, Romania, Russia, and the U.S. The majority of victims had Samsung phones, while Xiaomi, Vivo, and Huawei users comprised the second-largest group among the targeted victims1.