Telegram-Marketed Mobile RATs Sold as MaaS Target Android (and Claimed iOS) via Smishing and Surveillance Features
Researchers reported two Telegram-marketed malware-as-a-service (MaaS) offerings focused on mobile device compromise and surveillance. ZeroDayRAT is advertised as a subscription spyware platform claiming full monitoring of Android and iOS devices, with infections driven by smishing and other social-engineering lures that push victims to malicious links disguised as legitimate apps/updates; delivery chains reportedly use multi-stage redirects, URL shorteners, and in some cases trusted hosting such as GitHub Pages to evade reputation-based filtering. Once installed, the operator-facing web panel is advertised to provide extensive monitoring, including device profiling, app-usage timelines, GPS tracking, and remote activation of camera/microphone, plus screen recording and keystroke logging—capabilities consistent with credential theft and broad user surveillance.
Separately, Cyble detailed ongoing development of SURXRAT (marketed as SURXRAT V5) as an Android RAT sold through a structured reseller/partner licensing model that enables affiliates to generate customized builds while the operator retains centralized control. The malware is described as a full-featured surveillance and device-control toolkit that abuses Android Accessibility permissions for persistent control and uses Firebase-backed C2; code similarities indicate lineage from ArsinkRAT. Recent samples were observed conditionally downloading a large LLM module from Hugging Face, which researchers assess as experimentation that could enable AI-assisted functionality, deliberate device performance impact, or new monetization approaches alongside established behaviors such as data exfiltration, remote command execution, and ransomware-style device locking.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Researchers question whether ZeroDayRAT is genuine or a scam
In the same February 24, 2026 reporting, Cyberthint noted inconsistencies in ZeroDayRAT's marketing and signs that its interface may be staged or AI-generated. The firm said it remains unclear whether the platform is a real active threat or a fraud targeting would-be buyers.
Cyberthint reports ZeroDayRAT mobile spyware being marketed on Telegram
On February 24, 2026, Cyberthint reported a purported subscription-based mobile spyware platform called ZeroDayRAT that claims to monitor Android and iOS devices through a web control panel. The research says the offering is promoted in Telegram channels and advertises capabilities including GPS tracking, camera and microphone access, screen recording, keylogging, and theft of wallet and payment data.
Cyble publishes SURXRAT V5 analysis and links it to MaaS activity
On February 24, 2026, Cyble published research describing SURXRAT as an actively developed Android malware-as-a-service operation using Telegram-based reseller tiers, Firebase-backed command-and-control, and Accessibility Services abuse. The report says researchers identified more than 180 related samples and assessed the LLM download as possible experimentation for evasion, AI-assisted features, or monetization.
Researchers identify SURXRAT's large Hugging Face LLM download behavior
Cyble Research and Intelligence Labs documents a new SURXRAT behavior in which infected Android devices conditionally download a very large LLM module, over 23GB in size, from Hugging Face. The download is triggered when certain gaming apps are active or when package names are supplied by the attacker's backend.
Zimperium reports ArsinkRAT activity
Cyble cites Zimperium as reporting the ArsinkRAT family as active in January 2026. Code references and functional overlap suggest SURXRAT may have evolved from this malware family.
SURXRAT development likely begins
Based on the age of the Telegram ecosystem and subsequent sample activity, Cyble assesses that SURXRAT development likely started in early 2025. The malware later evolved into an actively developed Android RAT with surveillance, device-control, and locker capabilities.
SURXRAT operator launches Telegram channel for MaaS distribution
Cyble reports that the Telegram channel used to market the SURXRAT V5 malware-as-a-service ecosystem was created in late 2024. This indicates the operator had established reseller and partner distribution infrastructure by that time.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Commercial Android RATs Abuse Accessibility Services for Full Device Takeover
Two newly reported Android **Remote Access Trojans (RATs)**—**SURXRAT** and **Oblivion**—highlight a continued shift toward *commercialized, subscription-based mobile malware* that enables non-expert criminals to gain full control of victim devices and exfiltrate data. Both threats are positioned as scalable offerings (i.e., **Malware-as-a-Service**) with structured sales models and distribution support, lowering the barrier to entry for surveillance, credential theft, and account takeover. The reported infection chains rely heavily on **social engineering** to trick users into installing or activating malicious components, then escalating control by abusing **Android Accessibility Services** to bypass normal interaction and security boundaries. SURXRAT is described as modular and stealth-focused, distributed primarily via **Telegram** channels with tiered licensing/reseller options, and capable of broad data access (e.g., SMS, contacts, location, storage) once high-risk permissions are granted. Oblivion is marketed at roughly **$300/month** (with longer-term pricing tiers) and is delivered via **fake Google Play update** prompts; researchers reported capabilities including SMS theft for banking codes, keylogging, remote unlocking after reboot, and covert live screen viewing while a decoy “system updating” animation distracts the victim, with infrastructure reportedly able to manage **1,000+** concurrent victims (including via Tor).
Mar 21, 2026
ZeroDayRAT Commercial Mobile Spyware Sold on Telegram
Mobile security researchers reported a newly identified commercial spyware toolkit dubbed **ZeroDayRAT** that provides operators broad, remote control of both **Android and iOS** devices and is being marketed to buyers via **Telegram** channels that include sales, customer support, and updates. Analysis attributed to *iVerify* describes a mass-market packaging of surveillance and info-stealing capabilities typically associated with higher-end commercial spyware, delivered through an operator-facing control panel intended to lower the technical barrier for use. ZeroDayRAT infections are primarily driven by social engineering that tricks victims into installing a malicious mobile binary (e.g., **APK** on Android or an iOS payload), including **smishing** links, phishing emails, fake apps/app stores, and links shared through messaging platforms such as WhatsApp and Telegram. Once installed, the spyware can enable real-time monitoring and data theft, including access to device and SIM details, location tracking, notification/SMS previews, and enumeration of accounts registered on the device—capabilities that can support **account takeover** (including MFA bypass via SMS visibility), targeted social engineering, and theft of banking/cryptocurrency-related data.
Mar 21, 2026
ZeroDayRAT Mobile Spyware Sold on Telegram Targets Android and iOS
Researchers disclosed a new mobile spyware platform dubbed **ZeroDayRAT** that is being openly advertised and sold via Telegram channels, including sales, support, and update streams. iVerify reported first observing activity in early February 2026 and assessed the tool is positioned as a “ready-to-run” cross-platform spyware kit supporting **Android 5–16** and **iOS up to 26**, with a browser-accessible (and in some cases self-hosted) operator panel intended to lower the technical barrier for buyers. ZeroDayRAT’s capabilities include real-time surveillance and data theft: GPS tracking with location history (including Google Maps plotting), notification capture, SMS interception (including **OTP** codes used for 2FA), keylogging, screen recording, and live camera/microphone access. The operator panel also enumerates accounts registered on the device (e.g., Google, WhatsApp, Instagram, Telegram, Amazon and regional payment apps), enabling victim profiling and potential account takeover. Distribution is assessed to rely primarily on social engineering—particularly **smishing** links leading to fake download pages—along with phishing, fake app stores, and malicious links shared via messaging apps, resulting in installation of an Android APK or an iOS payload.
Mar 21, 2026