ZeroDayRAT mobile spyware advertisement
Malware Activity
Summary
Hide ▲
Show ▼
The ZeroDayRAT mobile spyware platform is being advertised on Telegram as a commercial toolkit for Android and iOS devices, with support for Android 5 through 16 and iOS up to 26. Researchers say it combines real-time surveillance, OTP capture, keylogging, camera and microphone access, and financial theft features such as wallet and bank-app abuse. The offering uses a builder and self-hosted panel, lowering the barrier for operators to monitor victims and steal sensitive data from infected devices.
Related Happenings
RedWing Android spyware rented through Telegram
Malware Activity
H score21
First: 08.07.2026 18:30
Last: 08.07.2026 18:30
Sources 1
About this happening:
The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
RedWing Android spyware rented through Telegram
Malware ActivityAbout this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
RedWing Android bank-fraud malware rental service
Malware Activity
H score21
First: 07.07.2026 20:10
Last: 07.07.2026 20:10
Sources 1
About this happening:
The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...
RedWing Android bank-fraud malware rental service
Malware ActivityAbout this happening: The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...
Bright Data iOS SDK teardown reveals unauthenticated scraping relay and VPN bypass
Technical Analysis
H score45
First: 06.06.2026 11:29
Last: 06.06.2026 11:29
Sources 1
About this happening:
Researchers **reverse-engineered Bright Data's iOS SDK** and found it can turn consumer devices into **exit nodes** for web-scraping traffic. The teardown showed the job channel h...
Bright Data iOS SDK teardown reveals unauthenticated scraping relay and VPN bypass
Technical AnalysisAbout this happening: Researchers **reverse-engineered Bright Data's iOS SDK** and found it can turn consumer devices into **exit nodes** for web-scraping traffic. The teardown showed the job channel h...
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor Meta
H score21
First: 29.05.2026 00:10
Last: 29.05.2026 00:10
Sources 1
About this happening:
**BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor MetaAbout this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
BTMOB Android RAT no-code builder malware activity
Malware Activity
H score28
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
**BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
Latest development: 29.05.2026 00:10
BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.
Timeline
-
10.02.2026 15:00 3 articles · 4mo ago
ZeroDayRAT advertised as mobile spyware for Android and iOS
Initial DisclosureZeroDayRAT is advertised to cybercriminals on Telegram as a commercial mobile spyware toolkit for compromised Android and iOS devices, and iVerify says it can enable real-time surveillance, OTP capture, keylogging, camera and microphone access, screen recording, clipboard address injection, and financial theft against the affected device user.
Show sources
- ZeroDayRAT malware grants full access to Android, iOS devices — www.bleepingcomputer.com — 10.02.2026 15:00
- ZeroDayRAT malware grants full access to Android, iOS devices — www.bleepingcomputer.com — 10.02.2026 15:00
- New ZeroDayRAT Mobile Spyware Enables Real-Time Surveillance and Data Theft — thehackernews.com — 16.02.2026 12:24