SURXRAT: MaaS Android RAT Leveraging Telegram and Firebase Infrastructure

    Thursday, April 9, 2026 In: Threat Research Print

    Date: 04/09/2026

    Severity: High

    Summary

    SURXRAT abuses Android accessibility services to perform malicious actions such as keylogging, screen capture, and OTP interception. By using legitimate cloud services, the malware blends in with normal traffic, making detection more difficult. SURXRAT can remotely execute commands, exfiltrate sensitive data, and maintain persistent access to infected devices. It is a MaaS (Malware-as-a-Service) Android RAT that leverages platforms like Firebase for command-and-control (C2) communication.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    https://surxratprv-default-rtdb.firebaseio.com

    Hash

    05a46a0df2cf8bccfe2b443148d2df55c9c2c710b7bd09177e26cf5cace25962

    4e0512d312a7aa9594a87e6477745be20a3a4590849b0a5fd704f009bcde76b3

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://surxratprv-default-rtdb.firebaseio.com" or url like "https://surxratprv-default-rtdb.firebaseio.com" or siteurl like "https://surxratprv-default-rtdb.firebaseio.com"

    Detection Query 2 :

    sha256hash IN ("4e0512d312a7aa9594a87e6477745be20a3a4590849b0a5fd704f009bcde76b3","05a46a0df2cf8bccfe2b443148d2df55c9c2c710b7bd09177e26cf5cace25962")

    Reference:    

    https://gurucul.com/blog/surxrat-maas-android-rat-leveraging-telegram-and-firebase-infrastructure/


    Tags

    Screen captureMaaSTelegramExfiltrationMalwareRATAndroid MalwareKeylogger

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.