Number of infected devices in Russia reaches 180,000.
Cybersecurity experts from F6 have detected a large-scale campaign targeting users of Russian banks, involving two malicious programs: the Android trojan CraxsRAT and a modified version of the legitimate app NFCGate. As of March 2025, analysts report over 180,000 devices in Russia with both components installed simultaneously.
According to the company’s report, the first quarter of 2025 showed an increasing share of infected devices using both malware tools. This combination, experts warn, poses one of the biggest threats to banking customers, allowing cybercriminals to operate without any direct contact with the victim.
CraxsRAT is a multifunctional Android trojan developed from the source code of SpyNote. It disguises itself as a legitimate app and, once installed, gives attackers remote access to the user’s device. The trojan was first reported in October 2024. By February 2025, infections had surged by 2.5 times compared to December, reaching over 22,000 devices.
NFCGate, originally created by German students in 2015 for educational purposes, is now exploited by criminals. It is used to develop malicious apps that, once installed, prompt users to tap their bank card and enter a PIN. These credentials are then captured and used to withdraw money from ATMs. Criminal use of NFCGate was first recorded in January 2025.
The total damage from NFCGate-based attacks in January and February 2025 is estimated at 200 million rubles. In February alone, such attacks increased by 80% compared to January. Over 1,200 users were targeted, and the number of infected devices with malicious versions of NFCGate exceeded 158,000.
While earlier this year attackers often used phone calls and chat messages, the main delivery method is now CraxsRAT. Experts note a growing number of cases where both tools are installed on the same device. Moreover, dark web listings have been discovered offering rental access to bundles that combine the capabilities of CraxsRAT and NFCGate.
According to researchers, using CraxsRAT in combination with NFCGate gives criminals full control over a victim's smartphone — enabling access to banking apps, intercepting notifications and one-time codes, and even directly cashing out money via NFC signal interception and card data theft.
CraxsRAT spreads primarily through social engineering — malicious APK files are sent via messengers, disguised as photo/video archives or popular apps. Common decoys include fake versions of government services (like Gosuslugi, GosZashchita), antivirus tools, telecom apps, and photo/video editing programs.
Analysts have identified over 140 unique CraxsRAT samples and more than 100 malicious versions of NFCGate. Common disguises include fake government apps (Central Bank Card Protection, GosSecure), contactless payment tools, video calling apps, and automotive diagnostic software.
This malware combo allows criminals to drain user accounts without calls, by gaining complete access to banking apps, messages, and the NFC module, F6 emphasized.
Recommendations:
Cybersecurity experts from F6 have detected a large-scale campaign targeting users of Russian banks, involving two malicious programs: the Android trojan CraxsRAT and a modified version of the legitimate app NFCGate. As of March 2025, analysts report over 180,000 devices in Russia with both components installed simultaneously.
According to the company’s report, the first quarter of 2025 showed an increasing share of infected devices using both malware tools. This combination, experts warn, poses one of the biggest threats to banking customers, allowing cybercriminals to operate without any direct contact with the victim.
CraxsRAT is a multifunctional Android trojan developed from the source code of SpyNote. It disguises itself as a legitimate app and, once installed, gives attackers remote access to the user’s device. The trojan was first reported in October 2024. By February 2025, infections had surged by 2.5 times compared to December, reaching over 22,000 devices.
NFCGate, originally created by German students in 2015 for educational purposes, is now exploited by criminals. It is used to develop malicious apps that, once installed, prompt users to tap their bank card and enter a PIN. These credentials are then captured and used to withdraw money from ATMs. Criminal use of NFCGate was first recorded in January 2025.
The total damage from NFCGate-based attacks in January and February 2025 is estimated at 200 million rubles. In February alone, such attacks increased by 80% compared to January. Over 1,200 users were targeted, and the number of infected devices with malicious versions of NFCGate exceeded 158,000.
While earlier this year attackers often used phone calls and chat messages, the main delivery method is now CraxsRAT. Experts note a growing number of cases where both tools are installed on the same device. Moreover, dark web listings have been discovered offering rental access to bundles that combine the capabilities of CraxsRAT and NFCGate.
According to researchers, using CraxsRAT in combination with NFCGate gives criminals full control over a victim's smartphone — enabling access to banking apps, intercepting notifications and one-time codes, and even directly cashing out money via NFC signal interception and card data theft.
CraxsRAT spreads primarily through social engineering — malicious APK files are sent via messengers, disguised as photo/video archives or popular apps. Common decoys include fake versions of government services (like Gosuslugi, GosZashchita), antivirus tools, telecom apps, and photo/video editing programs.
Analysts have identified over 140 unique CraxsRAT samples and more than 100 malicious versions of NFCGate. Common disguises include fake government apps (Central Bank Card Protection, GosSecure), contactless payment tools, video calling apps, and automotive diagnostic software.
This malware combo allows criminals to drain user accounts without calls, by gaining complete access to banking apps, messages, and the NFC module, F6 emphasized.
Recommendations:
- Users should avoid installing apps from unknown sources, be cautious in messaging platforms, and verify all links — even those that appear official.
- Banks are advised to abandon all forms of client communication through messengers and strengthen security in ATMs and mobile banking apps.
