Russia-linked malware operation collapses after security failures, developer’s arrest

An Android spyware operation that briefly gained traction in Russia appears to have collapsed within months of its launch after security flaws exposed its infrastructure and authorities arrested its suspected developer, cybersecurity researchers said.

The malware, known as ClayRat, was designed for espionage and remote control of infected Android devices. Once installed, it could intercept SMS messages and call logs, access contacts, take photos, record screens, and execute commands sent from a remote command-and-control server.

Despite attracting attention shortly after emerging in October 2025, ClayRat’s infrastructure deteriorated rapidly. By December, all known command servers associated with the malware had gone offline, researchers at the Russian cybersecurity firm Solar said in a report released Friday. Solar is a subsidiary of Russian state-owned telecom giant Rostelecom.

The shutdown appears to coincide with the arrest in the Russian city Krasnodar of a student suspected of developing the malware. He allegedly marketed ClayRat through Telegram channels using a subscription model that charged customers $90 per week or $300 per month, or took a 15% share of revenue generated through the malware.

At its peak, ClayRat was expanding rapidly, according to a previous report by security firm Zimperium, which identified more than 600 malware samples and around 50 droppers used to install it over the course of three months.

The malware was primarily distributed through phishing websites and applications disguised as legitimate services, including platforms mimicking WhatsApp, Google Photos, TikTok, and YouTube, as well as Russian taxi and parking apps. Researchers said the campaign largely targeted users in Russia.

According to Solar, the project’s collapse was accelerated by a series of technical and operational mistakes by its developer.

The malware contained multiple weaknesses, they said, including passwords stored in plaintext, weak code obfuscation, and a reliance on obvious command names that made its functions easier to identify. Distribution methods were also predictable, with the malware promoted openly on Telegram and delivered through phishing sites impersonating well-known applications.

“Despite its ambitious functionality, ClayRat followed the path of many short-lived Android remote access trojans,” Solar said. “After a brief spike in activity, its infrastructure deteriorated, the project appears to have been abandoned, and its creators are now being pursued by law enforcement.”

Solar noted that ClayRat’s collapse mirrors the fate of other recent malware projects. A banking trojan known as Gorilla, launched last year, also shut down within months after its operators made similar security mistakes.