EVLF DEV is a Syrian threat actor who is a Malware-as-a-service (MaaS) operator. He is responsible for the development of CypherRAT and CraxsRAT, which in the last 3 years was purchased by over 100 distinct threat actors on a lifetime license. EVLF has been observed operating a Telegram channel named "EvLF Devz" that was created on February 17, 2022. It has 10,678 subscribers as of writing.

A search for CraxsRAT surfaces numerous cracked versions of the malware hosted on GitHub, although it appears that Microsoft has taken down some of them over the past few days. The GitHub account of EVLF, however, remains active on the code-hosting service.


EVLF has created a web shop for CraxsRAT on the surface web to assert legitimacy to interested threat actors.