ZeroDayRAT Commercial Mobile Spyware Sold on Telegram
Mobile security researchers reported a newly identified commercial spyware toolkit dubbed ZeroDayRAT that provides operators broad, remote control of both Android and iOS devices and is being marketed to buyers via Telegram channels that include sales, customer support, and updates. Analysis attributed to iVerify describes a mass-market packaging of surveillance and info-stealing capabilities typically associated with higher-end commercial spyware, delivered through an operator-facing control panel intended to lower the technical barrier for use.
ZeroDayRAT infections are primarily driven by social engineering that tricks victims into installing a malicious mobile binary (e.g., APK on Android or an iOS payload), including smishing links, phishing emails, fake apps/app stores, and links shared through messaging platforms such as WhatsApp and Telegram. Once installed, the spyware can enable real-time monitoring and data theft, including access to device and SIM details, location tracking, notification/SMS previews, and enumeration of accounts registered on the device—capabilities that can support account takeover (including MFA bypass via SMS visibility), targeted social engineering, and theft of banking/cryptocurrency-related data.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Public reporting reveals ZeroDayRAT's mass-market spyware model
Media reports published on February 10, 2026 disclosed iVerify's findings that ZeroDayRAT was being openly sold on Telegram with a web control panel and developer support, lowering the barrier to entry for mobile surveillance and account takeover operations. Reporting highlighted delivery through smishing, phishing, fake apps, and malicious links, as well as risks such as MFA bypass and executive targeting.
iVerify identifies and analyzes ZeroDayRAT spyware
In February 2026, iVerify discovered and analyzed ZeroDayRAT, a commercial spyware platform targeting Android and iOS devices. The research found it offered full remote control, surveillance, credential theft, banking theft, and crypto theft features through operator-managed infrastructure.
ZeroDayRAT begins distribution on Telegram
iVerify assessed that the commercial mobile spyware toolkit ZeroDayRAT was first distributed and marketed via Telegram beginning on February 2, 2026. The operation included sales, support, and update channels for buyers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
ZeroDayRAT and the Productization of Mobile Spyware
vulnu.com
Open sourceAndroid, iOS device compromise threatened by new ZeroDayRAT spyware | SC Media
scworld.com
Open sourceZeroDayRAT spyware grants attackers total access to mobile devices
securityaffairs.com
Open sourceIn Bypassing MFA, ZeroDayRAT Is 'Textbook Stalkerware'
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ZeroDayRAT Mobile Spyware Sold on Telegram Targets Android and iOS
Researchers disclosed a new mobile spyware platform dubbed **ZeroDayRAT** that is being openly advertised and sold via Telegram channels, including sales, support, and update streams. iVerify reported first observing activity in early February 2026 and assessed the tool is positioned as a “ready-to-run” cross-platform spyware kit supporting **Android 5–16** and **iOS up to 26**, with a browser-accessible (and in some cases self-hosted) operator panel intended to lower the technical barrier for buyers. ZeroDayRAT’s capabilities include real-time surveillance and data theft: GPS tracking with location history (including Google Maps plotting), notification capture, SMS interception (including **OTP** codes used for 2FA), keylogging, screen recording, and live camera/microphone access. The operator panel also enumerates accounts registered on the device (e.g., Google, WhatsApp, Instagram, Telegram, Amazon and regional payment apps), enabling victim profiling and potential account takeover. Distribution is assessed to rely primarily on social engineering—particularly **smishing** links leading to fake download pages—along with phishing, fake app stores, and malicious links shared via messaging apps, resulting in installation of an Android APK or an iOS payload.
Mar 21, 2026
Telegram-Marketed Mobile RATs Sold as MaaS Target Android (and Claimed iOS) via Smishing and Surveillance Features
Researchers reported two **Telegram-marketed malware-as-a-service (MaaS)** offerings focused on mobile device compromise and surveillance. *ZeroDayRAT* is advertised as a subscription spyware platform claiming full monitoring of **Android and iOS** devices, with infections driven by **smishing** and other social-engineering lures that push victims to malicious links disguised as legitimate apps/updates; delivery chains reportedly use multi-stage redirects, URL shorteners, and in some cases trusted hosting such as *GitHub Pages* to evade reputation-based filtering. Once installed, the operator-facing web panel is advertised to provide extensive monitoring, including device profiling, app-usage timelines, GPS tracking, and remote activation of camera/microphone, plus screen recording and keystroke logging—capabilities consistent with credential theft and broad user surveillance. Separately, Cyble detailed ongoing development of *SURXRAT* (marketed as **SURXRAT V5**) as an Android RAT sold through a structured reseller/partner licensing model that enables affiliates to generate customized builds while the operator retains centralized control. The malware is described as a full-featured surveillance and device-control toolkit that abuses **Android Accessibility** permissions for persistent control and uses **Firebase-backed C2**; code similarities indicate lineage from **ArsinkRAT**. Recent samples were observed conditionally downloading a **large LLM module from Hugging Face**, which researchers assess as experimentation that could enable AI-assisted functionality, deliberate device performance impact, or new monetization approaches alongside established behaviors such as data exfiltration, remote command execution, and ransomware-style device locking.
Mar 21, 2026
Active Spyware Campaigns Targeting Mobile Messaging Apps and Android Devices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a surge in sophisticated spyware campaigns targeting users of popular mobile messaging applications such as Signal, WhatsApp, and Telegram. Threat actors are leveraging commercial spyware and remote access trojans (RATs), employing tactics like social engineering, device-linking QR codes, zero-click exploits, and spoofed app versions to compromise high-value individuals, including government officials. Notable campaigns include the use of Android spyware like ProSpy, ToSpy, and ClayRat, as well as the exploitation of vulnerabilities in iOS, WhatsApp, and Samsung devices to deploy malware such as LANDFALL, with the goal of persistent access and data exfiltration. In a related development, researchers at Certo Software have identified a new Android RAT dubbed RadzaRat, which masquerades as a legitimate file manager app. RadzaRat provides attackers with full remote control over infected devices, supports large-scale file transfers, and features keylogging capabilities to steal sensitive information. Alarmingly, RadzaRat is currently undetectable by all major antivirus solutions and is openly available for download, increasing the risk of widespread abuse. These findings underscore the growing threat posed by advanced spyware and RATs targeting mobile platforms, often bypassing traditional security defenses and exploiting user trust in legitimate-looking applications.
Mar 21, 2026