SpyNote

Also known as: CypherRat

According to Cleafy, SpyNote abuses Accessibility services and other Android permissions in order to: Collect SMS messages and contacts list; Record audio and screen; Perform keylogging activities; Bypass 2FA; Track GPS locations.

Linked Threat Actors

OilRig

C2 Infrastructure

Hosting/VPS50%

ISP/Residential50%

Last 7 days

Apr 14, 2026

C2 Hosts: 1

Apr 13, 2026

C2 Hosts: 3

Apr 12, 2026

C2 Hosts: 2

Apr 11, 2026

C2 Hosts: 2

Apr 8, 2026

C2 Hosts: 1

Daily C2 host counts for the last 7 days
Date	C2 Hosts
Apr 14, 2026	1
Apr 13, 2026	3
Apr 12, 2026	2
Apr 11, 2026	2
Apr 8, 2026	1

Further Reading

PROSPERO & Proton66: Uncovering the links between bulletproof networks

Key findings This report presents: The Russian autonomous system PROSPERO (AS200593) could be linked […]

SpyNote: Spyware with RAT capabilities targeting Financial Institutions

SpyNote, also known as SpyMax and CypherRat, is a unique and effective Spyware which developed unique interest in banking users

threatfabric.com

SpyNote: Spyware with RAT capabilities targeting Financial Institutions

SpyNote, also known as SpyMax and CypherRat, is a unique and effective Spyware which developed unique interest in banking users

threatfabric.com

Storm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake Flash Campaign

Beginning in May 2019, Volexity started tracking a new series of strategic web compromises that have been used in highly targeted attacks against Tibetan individuals and organizations by a Chinese […]