Ddos 
Android and iOS devices reporting in from different countries | Image: iVerify
A new and powerful mobile spyware platform has emerged on the cybercrime market, offering sophisticated surveillance capabilities to anyone willing to pay. Identified by iVerify as “ZeroDayRAT,” the toolkit is being sold openly on Telegram, turning what was once the domain of nation-states into a commodity for cybercriminals.
The platform, first observed in early February, boasts dedicated support channels and regular updates, providing buyers with a “single point of access” to a fully operational spyware panel.
ZeroDayRAT is designed for total compromise. From a unified dashboard, an operator can gain “full remote control over a user’s Android or iOS device,” with support extending to the latest operating systems, including Android 16 and iOS 26.
Crucially, the barrier to entry is non-existent. “No technical expertise is required,” the report notes. Once a device is infected—often via smishing texts or fake apps—the attacker can access a terrifying array of real-time data.
“A single buyer gets full access to a target’s location, messages, finances, camera, microphone, and keystrokes from a browser tab,” iVerify researchers explain.
The spyware goes beyond passive monitoring. It includes features for active surveillance and financial theft.
- Live Tracking: Operators can view “GPS coordinates… plotted on an embedded Google Maps view” to track a victim’s movements in real-time.
- Physical Surveillance: The toolkit allows for “live camera streaming (front or back), screen recording, and a microphone feed,” effectively turning the phone into a bug.
- Financial Drain: A specialized module targets banking apps and cryptocurrency wallets. It can perform “clipboard address injection, silently replacing copied wallet addresses with the attacker’s,” ensuring that funds are diverted to the criminal’s account.
What used to require “nation-state investment or bespoke exploit development” is now available to any buyer on a messaging app.
For organizations, this represents a critical risk. “For enterprises, a compromised employee device is a vector for credential theft, account takeover, and data exfiltration,” the report warns. The findings underscore the urgent need to treat mobile security with the same priority as traditional endpoint defenses.
Related Posts:
- Telegram Phishing Campaign Hijacks Accounts by Abusing Trust
- Hackers are selling legal Code Signing Certificates
- New Agent Tesla Spyware Variant was spread via Microsoft Word documents
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
