Smartphone is vibrating on a nightstand in a suburban house in the quiet time of a day. It is simply a form of a routine alert to the owner. However, there is a ghost who has just stepped in under the glass and silicon. That is the case with the recently emerged Android Remote Access Trojan (RAT) SURXRAT V5 that is shaking up the mobile cybercrime playbook in 2026.
As opposed to the primitive malware of the past, SURXRAT V5 is a frightening change of direction in the online underworld. It is not only a tool but a Malware-as-a-Service (MaaS) empire, with subscription rates, customer service, and, most alarmingly, AI experiments, which is indicative of a new period of autonomous digital theft.
Malware-as-a-Service: Democratization of Crime
Cyble and The Cyber Express security researchers have been working the past few weeks to unravel the layers of SURXRAT and what they have discovered is a commercially organized organization. Gone are the days when a hacker had to possess profound technical knowledge before he could be able to trespass in to a device. Nowadays, with the help of Telegram-based underground market, any user with a cryptocurrency wallet can also become a sophisticated threat actor.
SURXRAT V5 is marketed under a tiered “Partner Program” which appears to be a Silicon Valley SaaS start-up rather than a criminal operation:
- The Reseller Plan: In exchange of a single amount of $200,000, affiliates will be able to operate their own groups of infected machines.
- The Partner Plan: With a minimum of 500,000, the high-level “partners” receive the first consideration when it comes to server upgrades, as well as unlimited “builds,” or, made to order, malware designed specifically to suit targets.
also read: Anthropic rejects latest Pentagon offer
The 23GB “Brain” in the Background The AI Frontier
The most disturbing fact in the SURXRAT V5 codebase is that it tested Large Language Models (LLMs). The malware was conditionally downloading a massive 23GB AI module on the Hugging Face repository – a service typically used to develop real AI applications.
Context-Aware Social Engineering: The AI is used to scan text history of a victim and write off-the-shelf phishing messages to their acquaintances.
Behavioral Evasion: The AI is capable of considering the security conditions of the device and altering the malware activity to recreate the habits of the user and avoid raising red flags of suspicion of unusual activity.
Dynamic Ransomware: The artificial intelligence is able to read the financial records of a victim and produce a “differentiated” extortion request depending on what the user can actually afford to pay.
also read: Claude Code Security Triggers Market Shock
The Human Toll: Complete Digital Surrender
To the victim, SURXRAT V5 is an ultimate intrusion into privacy. As soon as the malware receives the so-called Accessibility Permissions, frequently as a result of asking a user to consider an update to their system or an anti-virus program, the device is no longer in the possession of the user.
The malware is a god-mode surveillance platform, it can:
- Harvest Everything: It silently steals SMS histories, call logs and browser histories.
- Live Monitoring: It has the capability of turning on the microphone and camera at any time, and thereby making it a wiretap of the phone.
- On-Device Fraud: Since it has access to the screen, it can open banking applications and transfer money when the user is asleep, even two-factor authentication, by reading codes sent to them through SMS.
