"It is currently available via Telegram, and was first observed on February 2, 2026, and since analyzed by iVerify. It is "a complete mobile compromise toolkit" comparable to kits normally requniring nation-state resources to develop. Infection requires delivery of a malicious binary. "These kits typically give the buyer a self-hosted panel and a builder," explains Daniel Kelley, research fellow at iVerify. "The operator sets up their own server, configures the panel, then uses the builder to generate payloads that phone home to their infrastructure.""
""Distribution is on the attacker: phishing links, smishing, trojanized apps on third-party stores, social engineering... whatever works. There's an 'exploit' tab in the sidebar, so it's possible it comes with some kind of exploit capability, but we can't confirm it." Once installed on the target, capabilities include victim and device profiling (model, OS, battery, country, lock status, SIM and carrier info, dual SIM phone numbers, app usage broken down by time, a live activity timeline, and a preview of recent SMS messages)."
ZeroDayRAT is a commercially sold mobile spyware toolkit first observed on February 2, 2026 and available via Telegram. Infection requires delivery of a malicious binary; operators use a self-hosted control panel and a builder to generate payloads that call home. Distribution methods include phishing links, smishing, trojanized third-party apps and social engineering, and a sidebar 'exploit' tab suggests possible exploit capabilities. Once installed, the toolkit provides live camera feeds, keylogging, bank and cryptocurrency theft functions, detailed device and victim profiling, GPS location history plotted on Google Maps, app usage and account credentials for extensive social-engineering and theft operations.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]