The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

A New Variant of ClayRAT Transmutes

Dec 12, 2025 2:03:27 PM / by The Hivemind posted in Threat Bulletin, accessibility service abuse, lockscreen bypass, ClayRAT, Android Spyware, MediaProjection API, screen recording malware

0 Comments

Verticals Targeted: Not specified
Regions Targeted: Russia
Related Families: Previous ClayRAT variants

Executive Summary

The ClayRAT Android spyware family has returned with a markedly more sophisticated variant that heavily weaponizes Android Accessibility Services and Default SMS privileges to achieve near-complete device takeover. New capabilities include automated lock-screen credential theft, persistent screen recording, programmable overlays, and interactive fake notifications designed to phish user replies.

Read More
All posts

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More