Cybersecurity researchers have observed a new evolution in the SURXRAT Android Remote Access Trojan (RAT) — this threat is now downloading a very large Large Language Model (LLM) module from an external repository such as Hugging Face. This change suggests that the malware’s capabilities and monetization strategies are advancing beyond traditional Android RAT behavior.

What SURXRAT Is

• SURXRAT is an actively developed Android RAT that’s being sold as a malware-as-a-service (MaaS) via a Telegram-based ecosystem.
• It’s marketed under a structured licensing model branded SURXRAT V5, with reseller and partner tiers allowing affiliates to customize and distribute builds.
• This commercialization model reflects a growing professionalization in Android malware distribution, where operators scale infections through affiliates rather than direct campaigns.
• Technical indicators suggest SURXRAT evolved from the ArsinkRAT family, with code overlaps hinting at shared lineage.

Operational Features of the Malware

SURXRAT has a wide range of surveillance and control features:
• Collection of sensitive personal data — including SMS messages, contacts, call logs, device identifiers, location data, and browser activity.
• Abuse of Android accessibility permissions to maintain persistent control of the device.
• Communication with a Firebase Realtime Database-based command-and-control (C2) infrastructure, which helps the malware blend in with legitimate traffic, complicating detection.
• Remote device actions such as unlocking the phone, initiating calls, controlling audio, and locking the screen with a ransomware-style interface.

The LLM Module Behavior

The major new behavior observed by Cyble is that the latest samples of SURXRAT conditionally download a very large LLM module (over 23 GB) from a repository like Hugging Face:

• This download does not occur on every infection — instead, it’s triggered under specific conditions, such as when certain gaming apps like Free Fire MAX x Jujutsu Kaisen are running.
• The module download behavior is remotely configurable, meaning the threat actor can adjust triggers and targeted package names via commands from the C2 server.
• Pulling such a large model to a mobile device is unusual — mobile RATs typically avoid huge payloads — indicating this feature is intentional, not accidental.

Possible Reasons for Downloading an LLM

Although detailed functionality remains under investigation, the research points to several plausible motives:

1. Performance Manipulation: The module could be used to intentionally degrade device performance, for example, during gameplay, possibly for illicit monetization related to gaming disruption or paid cheating services.
2. Stealth or Evasion: High resource usage might mask other malicious activity, making users mistake malware symptoms for general system lag or hardware issues.
3. AI-Driven Functions: It’s possible the threat actor intends to use AI features from the LLM for assistive tasks, although specifics aren’t yet confirmed.

What This Means for Security

The introduction of LLM module retrieval represents a notable shift in Android malware design — moving from purely surveillance and control to experimenting with advanced modules that could aid new malicious functions or offer alternative revenue streams.

While defensive strategies around Android threats remain challenging, organizations and users can reduce risk through up-to-date threat intelligence, strong security hygiene, and prompt detection and response tools.