Find notable cyber news and cases, enriched with sources, timelines, and signals.

ZeroDayRAT Telegram spyware seller ecosystem with direct developer support

Threat Actor Meta
First reported
Last updated
Happening score
H score 31
2 unique sources, 2 articles

Summary

Hide ▲

ZeroDayRAT is being sold as a Telegram-based spyware service with direct access to the developer through dedicated channels for sales, customer support, and regular updates. The commercial offering targets Android 5 through 16 and iOS up to 26, using a builder and self-hosted panel to enable real-time surveillance, keylogging, OTP collection, and financial theft from infected devices. The service lowers the barrier to entry for criminal operators by packaging mobile credential theft, account profiling, and live monitoring into a ready-to-run panel.

Related Happenings

BTMOB Android MaaS platform expands low-code phishing payload production

Threat Actor Meta
H score21 First: 29.05.2026 00:10 Last: 29.05.2026 00:10 Sources 1

About this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...

AI-driven attack surge against customer-facing mobile apps in 2026

Trend
H score43 First: 19.05.2026 15:00 Last: 19.05.2026 15:00 Sources 1

About this happening: **Customer-facing mobile apps** faced a sharp rise in attacks in **2026**, with **87%** of monitored apps hit versus **55% in 2022**. The trend matters because **agentic AI** is l...

Google rolls out Android Intrusion Logging in Android Advanced Protection Mode

Security Tool/Service
H score10 First: 14.05.2026 16:30 Last: 14.05.2026 16:30 Sources 1

About this happening: Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...

Vidar infostealer market rise and distribution expansion

Malware Activity
H score30 First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Mirax social media ad campaign targeting Spanish-speaking users

Campaign
H score44 First: 13.04.2026 17:30 Last: 13.04.2026 17:30 Sources 1

About this happening: The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...

Timeline

  1. 10.02.2026 23:37 3 articles · 4mo ago

    ZeroDayRAT is sold openly on Telegram with direct developer support

    Initial Disclosure

    ZeroDayRAT is being sold openly on Telegram with direct access to the developer through channels for sales, customer support, and platform updates, turning the malware into a commercial mobile spyware service for mass-market buyers. The offering reaches affected mobile devices through malicious APKs on Android and payloads on iOS delivered by smishing, phishing emails, fake app stores, and links shared over WhatsApp or Telegram, and it is described as capable of real-time surveillance, credential and financial data theft, SMS control that can bypass MFA, keylogging, a microphone feed, screen recording, and bank and crypto theft.

    Show sources