This analysis reveals the resurgence of SpyNote, a potent Android RAT, distributed through deceptive websites mimicking Google Play Store. The malware employs sophisticated techniques for surveillance, data exfiltration, and remote control. Recent changes include minor IP resolution adjustments and enhanced anti-analysis measures in the APK dropper. SpyNote's capabilities include keylogging, camera and microphone control, and abuse of Android's Accessibility Services. The threat actor demonstrates persistence and limited technical adaptability, targeting consumers broadly with lures mimicking popular applications. Key technique changes involve dynamic payload decryption, DEX element injection, and obfuscation of C2 logic. The campaign underscores the ongoing threat of mobile RATs and the need for vigilance against social engineering tactics.