The fake websites consistently include specific JavaScript libraries and employ nginx servers hosted on Lightnode Limited and Vultr Holdings LLC infrastructure. Despite repeated exposure in prior research, the operators show persistence in their social engineering tactics while exhibiting only modest technical sophistication. Their infrastructure remains centralized on two recurring IP addresses, 154.90.58[.]26 and 199.247.6[.]61, with fake Play Store domains including mcspa[.]top, megha[.]top, and jewrs[.]top. Hosting services are leased from commodity providers such as Vultr Holdings LLC and Lightnode Limited, and SSL certificates are issued with minimal validation.
Grants the attacker full read/write access to the device's internal storage, allowing them to download photos, exfiltrate documents, or upload further malicious payloads. spynote 65 github
SpyNote v6.5 is an advanced Android Remote Access Trojan (RAT) that has gained significant notoriety on platforms like Hosting services are leased from commodity providers such
Regularly update the Android operating system to patch vulnerabilities that malware might exploit. Aggregates and dumps contact lists
Aggregates and dumps contact lists, comprehensive SMS archives, call history logs, and local file directory trees directly back to the Command and Control (C2) server.
While the term specifically points to the leaked code from late 2022, the malware family continues to evolve. Security researchers have noted a resurgence in SpyNote activity in 2025 and 2026, with updates including more robust anti-analysis measures and the injection of malicious DEX elements directly into the Android ClassLoader at runtime. The open-source nature of the code has also led to the creation of numerous forks, such as SpyMax and the Malware-as-a-Service (MaaS) variant operated by threat actor "EVLF," ensuring that the legacy of SpyNote will remain a persistent headache for the cybersecurity industry for years to come.