Skip to content

SpyNote

Also known as: CypherRat

According to Cleafy, SpyNote abuses Accessibility services and other Android permissions in order to: Collect SMS messages and contacts list; Record audio and screen; Perform keylogging activities; Bypass 2FA; Track GPS locations.

Linked Threat Actors

OilRig

C2 Infrastructure

Hosting/VPS 100%

Last 7 days

Jul 15, 2026
C2 Hosts: 1

Further Reading

疑似APT-C-56(透明部落)针对恐怖主义的攻击活动分析 opens in a new tab

360烽火实验发现了一批疑似APT-C-56(透明部落)针对恐怖主义发起攻击的恶意样本,通过溯源关联分析发现,攻击活动至少开始于2018年6月,至今仍处于活跃状态

mp.weixin.qq.com
Kasablanka(卡萨布兰卡)组织针对中东地区政治团体和公益组织的攻击行动 opens in a new tab

近期,360高级威胁研究院在日常情报挖掘中发现并捕获到了Kasablanka组织针对Windows和Android两个平台的攻击活动,经分析后推测该组织不简简单单是为了经济利益,其动机似乎更倾向于信息收集和间谍活动

mp.weixin.qq.com
PROSPERO & Proton66: Uncovering the links between bulletproof networks opens in a new tab

Key findings   This report presents: The Russian autonomous system PROSPERO (AS200593) could be linked […]

intrinsec.com
SpyNote: Spyware with RAT capabilities targeting Financial Institutions opens in a new tab

SpyNote, also known as SpyMax and CypherRat, is a unique and effective Spyware which developed unique interest in banking users

threatfabric.com
SpyNote: Spyware with RAT capabilities targeting Financial Institutions opens in a new tab

SpyNote, also known as SpyMax and CypherRat, is a unique and effective Spyware which developed unique interest in banking users

threatfabric.com
Storm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake Flash Campaign opens in a new tab

Beginning in May 2019, Volexity started tracking a new series of strategic web compromises that have been used in highly targeted attacks against Tibetan individuals and organizations by a Chinese […]

volexity.com

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.