Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ZeroDayRAT Telegram spyware seller ecosystem with direct developer support

Threat Actor Meta
First reported
Last updated
Happening score
H score 19
2 unique sources, 2 articles

Summary

Hide ▲

ZeroDayRAT is being sold as a Telegram-based spyware service with direct access to the developer through dedicated channels for sales, customer support, and regular updates. The commercial offering targets Android 5 through 16 and iOS up to 26, using a builder and self-hosted panel to enable real-time surveillance, keylogging, OTP collection, and financial theft from infected devices. The service lowers the barrier to entry for criminal operators by packaging mobile credential theft, account profiling, and live monitoring into a ready-to-run panel.

Related Happenings

AI-driven attack surge against customer-facing mobile apps in 2026

Target Trend
First: 19.05.2026 15:00 Last: 19.05.2026 15:00 Sources 1

About this happening: **Customer-facing mobile apps** faced a sharp rise in attacks in **2026**, with **87%** of monitored apps hit versus **55% in 2022**. The trend matters because **agentic AI** is l...

Open Happening

Google rolls out Android Intrusion Logging in Android Advanced Protection Mode

Security Tool/Service
First: 14.05.2026 16:30 Last: 14.05.2026 16:30 Sources 1

About this happening: Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...

Open Happening

Vidar infostealer market rise and distribution expansion

Malware Activity
First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Open Happening

Mirax social media ad campaign targeting Spanish-speaking users

Campaign
First: 13.04.2026 17:30 Last: 13.04.2026 17:30 Sources 1

About this happening: The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...

Open Happening

CrystalRAT Telegram-promoted malware-as-a-service

Malware Activity
First: 02.04.2026 02:17 Last: 02.04.2026 02:17 Sources 1

About this happening: The **CrystalRAT** malware-as-a-service is being promoted on **Telegram** and **YouTube** with **remote access**, **data theft**, **keylogging**, and **clipboard hijacking**, incr...

Open Happening

Timeline

  1. 10.02.2026 23:37 3 articles · 3mo ago

    ZeroDayRAT is sold openly on Telegram with direct developer support

    Initial Disclosure

    ZeroDayRAT is being sold openly on Telegram with direct access to the developer through channels for sales, customer support, and platform updates, turning the malware into a commercial mobile spyware service for mass-market buyers. The offering reaches affected mobile devices through malicious APKs on Android and payloads on iOS delivered by smishing, phishing emails, fake app stores, and links shared over WhatsApp or Telegram, and it is described as capable of real-time surveillance, credential and financial data theft, SMS control that can bypass MFA, keylogging, a microphone feed, screen recording, and bank and crypto theft.

    Show sources
    Open in new tab