InfoSecBulletin Cybersecurity for mankind
ZeroDayRAT is a new mobile spyware toolkit that allows remote access to Android and iOS devices, offering features like live camera feeds, keylogging, and theft of bank and crypto information.
It is currently available via Telegram, and was first observed on February 2, 2026, and since analyzed by iVerify. It is “a complete mobile compromise toolkit” comparable to kits normally requniring nation-state resources to develop.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
Infection requires delivery of a malicious binary. “These kits typically give the buyer a self-hosted panel and a builder,” explains Daniel Kelley, research fellow at iVerify. “The operator sets up their own server, configures the panel, then uses the builder to generate payloads that phone home to their infrastructure.”
From there, he continues, “Distribution is on the attacker: phishing links, smishing, trojanized apps on third-party stores, social engineering… whatever works. There’s an ‘exploit’ tab in the sidebar, so it’s possible it comes with some kind of exploit capability, but we can’t confirm it.”
Location tracking is provided. GPS coordinates are obtained and shown on an embedded Google Map, displaying the victim’s current and past locations.
App usage details include names and types of interactions: WhatsApp messages, Instagram notifications, missed calls, Telegram updates, YouTube alerts, and system events. It also reveals registered accounts with usernames and emails from Google, WhatsApp, Instagram, Facebook, Telegram, Amazon, and others, creating a prime target for social engineering.
The kit allows passive data collection from a victim’s device, but it also offers live surveillance features like camera streaming, screen recording, and audio feed. With GPS tracking, an operator can monitor, listen to, and track a target at the same time, according to iVerify.
iVerify warns that ZeroDayRAT is a persistent issue. It’s nearly impossible to identify and arrest the creator. The toolkit is marketed in Portuguese, Russian, Chinese, Spanish, and English.
“We’ve seen them post messages in Chinese, use a Russian domain, and target Indian victims,” says Kelley. “None of it lines up, and that looks intentional. We think they’re actively using disinformation to muddy attribution.”
Similarly, there is no central server for authorities to locate and take down. “Every operator runs their own instance, so you’re playing whack-a-mole against individual infrastructures. The Telegram sales channel is the most visible chokepoint, but Telegram takedowns are slow, and even if it happens the developers just spin up a new channel.”
