ZeroDayRAT Telegram spyware seller ecosystem with direct developer support
Threat Actor Meta
Summary
Hide ▲
Show ▼
ZeroDayRAT is being sold as a Telegram-based spyware service with direct access to the developer through dedicated channels for sales, customer support, and regular updates. The commercial offering targets Android 5 through 16 and iOS up to 26, using a builder and self-hosted panel to enable real-time surveillance, keylogging, OTP collection, and financial theft from infected devices. The service lowers the barrier to entry for criminal operators by packaging mobile credential theft, account profiling, and live monitoring into a ready-to-run panel.
Related Happenings
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor Meta
H score21
First: 29.05.2026 00:10
Last: 29.05.2026 00:10
Sources 1
About this happening:
**BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor MetaAbout this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
AI-driven attack surge against customer-facing mobile apps in 2026
Trend
H score43
First: 19.05.2026 15:00
Last: 19.05.2026 15:00
Sources 1
About this happening:
**Customer-facing mobile apps** faced a sharp rise in attacks in **2026**, with **87%** of monitored apps hit versus **55% in 2022**. The trend matters because **agentic AI** is l...
AI-driven attack surge against customer-facing mobile apps in 2026
TrendAbout this happening: **Customer-facing mobile apps** faced a sharp rise in attacks in **2026**, with **87%** of monitored apps hit versus **55% in 2022**. The trend matters because **agentic AI** is l...
Google rolls out Android Intrusion Logging in Android Advanced Protection Mode
Security Tool/Service
H score10
First: 14.05.2026 16:30
Last: 14.05.2026 16:30
Sources 1
About this happening:
Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...
Google rolls out Android Intrusion Logging in Android Advanced Protection Mode
Security Tool/ServiceAbout this happening: Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...
Vidar infostealer market rise and distribution expansion
Malware Activity
H score30
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Mirax social media ad campaign targeting Spanish-speaking users
Campaign
H score44
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Mirax social media ad campaign targeting Spanish-speaking users
CampaignAbout this happening: The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Timeline
-
10.02.2026 23:37 3 articles · 4mo ago
ZeroDayRAT is sold openly on Telegram with direct developer support
Initial DisclosureZeroDayRAT is being sold openly on Telegram with direct access to the developer through channels for sales, customer support, and platform updates, turning the malware into a commercial mobile spyware service for mass-market buyers. The offering reaches affected mobile devices through malicious APKs on Android and payloads on iOS delivered by smishing, phishing emails, fake app stores, and links shared over WhatsApp or Telegram, and it is described as capable of real-time surveillance, credential and financial data theft, SMS control that can bypass MFA, keylogging, a microphone feed, screen recording, and bank and crypto theft.
Show sources
- In Bypassing MFA, ZeroDayRAT Is 'Textbook Stalkerware' — www.darkreading.com — 10.02.2026 23:37
- In Bypassing MFA, ZeroDayRAT Is 'Textbook Stalkerware' — www.darkreading.com — 10.02.2026 23:37
- New ZeroDayRAT Mobile Spyware Enables Real-Time Surveillance and Data Theft — thehackernews.com — 16.02.2026 12:24