ZeroDayRAT
ZeroDayRAT is a commercial cross-platform mobile spyware / remote access trojan targeting Android and iOS devices. It has been reported by iVerify and others as being sold openly via Telegram, with dedicated sales, support, and update channels, and activity first observed on February 2, 2026. The platform is described as supporting Android versions 5 through 16 and iOS up to version 26, and as providing buyers with a web-based or self-hosted control panel and, in some reporting, a builder for malicious binaries, lowering the barrier to entry for less-skilled operators.
Delivery is consistently described as requiring installation of a malicious APK or iOS payload, typically via social engineering. Reported infection vectors include smishing, phishing emails, fake app stores, and malicious links shared through WhatsApp or Telegram; some reporting also mentions URL shorteners, multi-stage redirects, and use of trusted infrastructure such as GitHub Pages in delivery chains.
Once installed, ZeroDayRAT provides extensive remote access, surveillance, and theft capabilities. Reported functions include device profiling; collection of device model, OS, battery, country, lock status, SIM and carrier data; app usage and activity timelines; recent SMS previews; notification capture; GPS tracking with location history; account enumeration; live camera streaming; microphone access; screen recording; live screen preview; and keylogging with app context and timestamps. Multiple sources state it can intercept SMS, including one-time passcodes, enabling MFA/2FA bypass and account takeover. It is also described as exfiltrating sensitive files and credentials.
Financial theft features are prominently reported. ZeroDayRAT is described as including bank-stealer and crypto-stealer modules targeting banking, payment, and wallet applications. Reported targets include Apple Pay, Google Pay, PayPal, PhonePe, and wallet apps such as MetaMask, Trust Wallet, Binance, and Coinbase. Reported techniques include banking overlays for credential capture and clipboard hijacking/address replacement to redirect cryptocurrency transfers.
The malware is described as modular and as using stealth techniques that complicate detection by conventional or signature-based defenses. One report notes that disruption is difficult because there is no central server and each operator runs their own instance, leaving Telegram sales channels as a visible but easily reconstituted chokepoint.
Targeting is broad at the device level: Android and iOS mobile users. Reporting also notes potential risk to individuals, SMBs, enterprises with weak BYOD controls, and high-risk persons such as journalists, activists, and domestic abuse victims. High-confidence context directly associates the malware with commercial spyware activity rather than a named state actor. Some reporting raises doubts about whether the advertised platform is fully legitimate or partially staged, but multiple sources consistently describe the claimed capabilities and Telegram-based commercialization.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
5 techniques
Initial Access
“The victim gets a text with a link, downloads what looks like a legitimate app, and installs it.”
Attackers usually infect victims through smishing texts, phishing emails, fake apps, or malicious links shared on messaging platforms.
"The most common way that happens is smishing: the victim gets a text with a link, downloads what looks like a legitimate app, and installs it"
Execution
1 technique
Execution
Credential Access
4 techniques
Credential Access
Discovery
4 techniques
Discovery
...app usage, recent activity... monitor notifications from all apps...
"complete overview of the phone's makeup, including device model, SIM, location data, carrier info"
Collection
8 techniques
Collection
“...a keylogger captures every input with app context and millisecond timestamps.”
From one panel, operators can stream the phone’s camera, record the screen... A live screen preview lets attackers watch what the victim is doing as it happens.
Recent activity
24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as one of 17 Android malware families detected in the wild over four months.
Android-focused mobile spyware/RAT distributed via social-engineering lures and sideloaded apps. Establishes persistent remote access to capture screen content, keylog, harvest credentials, and exfiltrate data from banking/payment/personal apps; uses modular architecture and stealth to evade signature-based detection.
Commercial-style mobile spyware/RAT platform advertised on Telegram with a builder and operator panel, supporting Android and iOS, enabling sensitive data theft and real-time surveillance; distributed via social engineering/fake marketplaces.
Mobile spyware/RAT marketed as a MaaS with a web control panel. Delivered via smishing and links through WhatsApp/Telegram and fake app stores, using redirection chains and URL shorteners (including GitHub Pages) to evade filtering. Capabilities include device profiling, GPS tracking, remote camera/mic activation, screen recording, keylogging, SMS access (OTP interception), and financial theft modules such as crypto wallet targeting and clipboard address replacement, plus overlays to steal credentials for Apple Pay/Google Pay/PayPal.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.