EagleSpy V6.0: Researchers Uncover Rebranded CraxsRAT Operating on Odysee and Telegram with Full Mobile Surveillance Kit

Security researchers have identified a active malware operation distributing a sophisticated Android RAT—dubbed EagleSpy V6.0—through Odysee and Telegram, with technical analysis confirming it functions as a rebranded variant of the known CraxsRAT malware. The seller operates via public channels, marketing the toolkit to prospective buyers before scamming at least one paying customer. The investigation, which exposed the researcher to direct financial loss when the seller blocked communication after payment, ultimately yielded detailed insight into the malware's full capabilities and infrastructure.

Technical analysis of EagleSpy V6.0 reveals an extensive feature set targeting mobile devices. The RAT deploys banking phishing overlays designed to harvest credentials, crypto wallet credential theft modules, and Telegram bot exfiltration tools. Beyond financial targeting, the malware includes remote shell execution, keylogging, camera and microphone access, and GPS tracking. Researchers also documented ransomware components, DEX packers configured for antivirus evasion, and hidden update mechanisms that function as persistent backdoors. Notably, the seller's own repository contained evidence of real victim infrastructure and compromised device data, suggesting active deployment against targets.

The operation presents a dual-layer threat: not only are potential victims exposed to full mobile device compromise, but buyers or operators purchasing the toolkit face risk from embedded update systems that could be weaponized against them. The use of mainstream platforms like Odysee and Telegram for distribution—combined with the rebranding of a known RAT family—signals a deliberate effort to lower barriers to access while evading detection. Organizations and individuals with exposure to these platforms should treat any unsolicited RAT-related offers as a confirmed threat vector, and the presence of compromised victim data in the infrastructure suggests an ongoing campaign warranting heightened scrutiny.