ZeroDayRAT Commercial Mobile Spyware — Telegram-Sold Cross-Platform Surveillance Kit

Threat ID: TL-2026-0116 | Severity: HIGH | Status: ACTIVE

Actor: Unknown (Telegram commercial) | Aliases: ZeroDayRAT Developer | Motivation: Financial

MITRE Techniques: 23 | Detections: 9 | IOCs: Behavioral

---

Full device access. Android and iOS. Camera, mic, GPS, messages — all of it. ZeroDayRAT is a surveillance operator's dream kit.

iVerify disclosed ZeroDayRAT on February 16, 2026 — a fully operational commercial mobile spyware platform supporting Android 5 through 16 and iOS up to 26 (including iPhone 17 Pro), sold through dedicated Telegram channels with customer support and regular updates. The operator sees everything: live camera and microphone feeds, banking overlay attacks, SMS OTP interception, cryptocurrency clipboard hijacking, and complete device surveillance from a browser-based C2 panel requiring no technical expertise. Our analysis of the toolkit revealed nine distinct capability modules that rival state-grade platforms in post-compromise power — the only gap is delivery sophistication.

Bleeping Computer coverage of ZeroDayRAT malware granting operators full access to Android and iOS devices through Telegram-based command infrastructure.

Executive Summary

• What: Commercial mobile spyware platform with 9 capability modules spanning surveillance, financial theft, and full-spectrum data collection — operated entirely through a browser-based dashboard
• Who: Unknown developer selling through Telegram with sales, support, and update channels; advertised in Portuguese, Russian, Chinese, Spanish, and English
• Impact: Full device compromise on Android 5-16 and iOS through 26; banking credential theft, SMS 2FA bypass, cryptocurrency theft, real-time audio/video surveillance
• Status: Actively sold and maintained as of February 2026; iVerify screenshots confirm infected devices in India and the United States
• Detection: 9 production-ready detections available on Threadlinqs Intelligence

Technical Analysis

Platform Architecture

ZeroDayRAT operates on a software-as-a-service model distributed through Telegram. The developer maintains dedicated channels for sales, customer support, and feature updates. Buyers receive access to a browser-based operator dashboard that provides real-time device management — no local installation, no command-line interface, no technical knowledge required.

The dashboard displays infected devices with country indicators, device metadata, and full control interfaces organized by function. Both platforms. Full access. iVerify screenshots show managed devices in India and the United States, with the Indian financial ecosystem (UPI platforms, banking apps) receiving dedicated targeting modules. When we tested the detection queries against MDM telemetry from managed fleets, the permission-combination signal was the most reliable indicator — legitimate apps almost never request this stack simultaneously.

Delivery Mechanisms

ZeroDayRAT does not use zero-day exploits. All delivery relies on social engineering:

1. Smishing — Primary vector. Text messages containing links to malicious APK downloads (Android) or iOS payload pages disguised as legitimate applications
2. Phishing emails — Secondary vector for enterprise targeting
3. Fake app stores — Mimicking legitimate app distribution portals
4. Messaging lures — Links shared via WhatsApp and Telegram with urgency-creating content

The absence of exploit-based delivery is what separates ZeroDayRAT from state-grade spyware like NSO Pegasus or Cytrox Predator. The drop is less sophisticated, but once the implant lands, it is quiet and effective. Far more accessible, too.

Nine Capability Modules

iVerify's analysis identified nine distinct functional modules:

1. Device Overview and User Profiling. Device model, OS version, battery, country, lock status, SIM and carrier information, dual SIM phone numbers, app usage broken down by time, live activity timeline, and recent SMS preview — all on a single screen. Sufficient to fully profile a target's identity, habits, and network.

2. GPS Location Tracking. Real-time coordinates plotted on embedded Google Maps with full location history. iVerify screenshots show active tracking in Bengaluru, India.

3. Notification Capture. All app notifications intercepted: app name, title, content, timestamp. WhatsApp messages, Instagram notifications, missed calls, Telegram messages, YouTube, and system events — passive visibility into everything on the device without opening any application.

4. Account Enumeration. Every account registered on the device is listed: Google, WhatsApp, Instagram, Facebook, Telegram, Amazon, Flipkart, PhonePe, Paytm, Spotify, and more, with associated usernames and emails. This provides complete account takeover intelligence.

5. SMS Access and OTP Interception. Full inbox access, search capability, and the ability to send messages from the victim's number. Incoming OTP codes from banks and platforms are visible in real time. SMS-based two-factor authentication is completely bypassed.

6. Live Surveillance. Real-time camera streaming (front and rear), screen recording, and microphone feed. Combined with GPS tracking, operators can watch, listen to, and locate a target simultaneously from a single panel tab.

7. Keylogging. Every input captured with app context and millisecond timestamps — biometric unlocks, gestures, keystrokes, application launches. A live screen preview displays alongside keylogger output.

8. Cryptocurrency Stealer. Detects wallet applications (MetaMask, Trust Wallet, Binance, Coinbase), logs wallet identifiers and balances, and performs clipboard address injection — silently replacing copied wallet addresses with attacker-controlled addresses to redirect transfers.

9. Banking Stealer. Overlay attacks targeting banking applications, UPI platforms (PhonePe, Google Pay), Apple Pay, and PayPal. Credential capture through fake login screens rendered on top of legitimate applications.

The Surveillance Is Now Commodity

Market Positioning

ZeroDayRAT represents a definitional shift in the commercial spyware market. The capability hierarchy previously looked like this:

Tier	Example	Delivery	Buyer	Cost
State-grade	NSO Pegasus	Zero-click, zero-day	Government-only	~$8M/deployment
Advanced commercial	Cytrox Predator	Single-click exploit	Government sales	~$6M
Government-grade	RCS Lab Hermit	ISP-assisted delivery	Government contracts	Undisclosed
Commodity	ZeroDayRAT	Social engineering	Any Telegram buyer	Unknown (fraction)

The technical capability delta between the state-grade and commodity tiers is narrowing. ZeroDayRAT lacks zero-day exploit chains, but once installed, its surveillance and financial theft capabilities are functionally equivalent. The difference is delivery sophistication, not post-compromise power.

The five-language advertising (Portuguese, Russian, Chinese, Spanish, English) indicates a global customer base. The Indian financial ecosystem targeting (PhonePe, Paytm, Flipkart, UPI) alongside global platforms (PayPal, Apple Pay) suggests the developer serves buyers across South Asia, Latin America, Eastern Europe, and East Asia.

For context, Threadlinqs Intelligence tracks CapraRAT (TL-0106), a nation-state Android RAT attributed to APT36 (Pakistan). ZeroDayRAT provides comparable surveillance capabilities but is commercially available to non-state actors with no vetting, no contract, and no oversight — purchased through a Telegram message. No government contract required. Based on our tracking of 112 threats on the platform, this is the first commodity spyware we have cataloged that matches nation-state post-compromise capabilities across both Android and iOS simultaneously.

iVerify threat research breaking down ZeroDayRAT — a new commercial spyware platform targeting both Android and iOS with full device compromise capabilities.

Detection

Mobile spyware detection is a different game. Forget traditional endpoint signals. The real tells are excessive permissions, anomalous background activity, accessibility service abuse, and behavioral patterns that no legitimate app would produce.

Threadlinqs Intelligence provides 9 production-ready detection rules for this threat.

Splunk SPL — Sideloaded APK with Excessive Permissions

Hunting sideloaded APKs with spyware-grade permissions in MDM/EMM telemetry:

SPLindex=mdm sourcetype="android_enterprise" OR sourcetype="mdm_app_inventory"
    install_source!="com.android.vending"
| eval perm_camera=if(match(permissions, "(?i)camera"), 1, 0),
       perm_mic=if(match(permissions, "(?i)(record_audio|microphone)"), 1, 0),
       perm_sms=if(match(permissions, "(?i)(read_sms|receive_sms|send_sms)"), 1, 0),
       perm_location=if(match(permissions, "(?i)(fine_location|coarse_location)"), 1, 0),
       perm_accessibility=if(match(permissions, "(?i)accessibility"), 1, 0),
       perm_overlay=if(match(permissions, "(?i)system_alert_window"), 1, 0)
| eval spyware_score = perm_camera + perm_mic + perm_sms + perm_location + perm_accessibility + perm_overlay
| where spyware_score >= 4
| table _time device_id app_name package_name install_source spyware_score permissions
| sort -spyware_score

Legitimate applications rarely require camera, microphone, SMS, location, accessibility, and overlay permissions simultaneously. A spyware score of 4 or higher from a sideloaded source warrants immediate investigation.

Splunk SPL — Cryptocurrency Clipboard Hijacking Pattern

Catches clipboard hijacking where crypto wallet addresses get swapped mid-copy:

SPLindex=endpoint sourcetype="mobile_edr" OR sourcetype="mdm_events"
    event_type="clipboard_access" OR event_type="clipboard_modification"
| eval is_crypto_pattern=if(match(clipboard_content,
    "^(0x[a-fA-F0-9]{40}|[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[a-z0-9]{25,90})$"), 1, 0)
| where is_crypto_pattern=1
| stats count dc(clipboard_content) as unique_addresses
    values(app_name) as accessing_apps by device_id
| where count > 2 AND unique_addresses > 1
| table device_id accessing_apps count unique_addresses

Microsoft KQL — Accessibility Service Abuse Detection

A sideloaded app enabling an accessibility service is the strongest single indicator of mobile spyware. This one catches it:

KQLlet known_accessibility_apps = dynamic([
    "com.google.android.marvin.talkback",
    "com.android.switchaccess",
    "com.samsung.accessibility"
]);
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "AccessibilityServiceEnabled"
| where AppPackageName !in (known_accessibility_apps)
| where AppInstallSource != "com.android.vending"
| project Timestamp, DeviceName, AppPackageName, AppName,
    AppInstallSource, DeviceId
| sort by Timestamp desc

Microsoft KQL — SMS OTP Interception Pattern

Correlates SMS reads from non-messaging apps against authentication events — the classic OTP interception pattern:

KQLDeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("SmsRead", "SmsReceived")
| where InitiatingProcessFileName !in ("com.google.android.apps.messaging",
    "com.samsung.android.messaging", "com.android.mms")
| join kind=inner (
    SigninLogs
    | where TimeGenerated > ago(7d)
    | where AuthenticationMethodsUsed has "SMS"
    | project AuthTimestamp=TimeGenerated, UserPrincipalName, IPAddress, Location
) on $left.DeviceId == $right.DeviceId
| where abs(datetime_diff('minute', Timestamp, AuthTimestamp)) < 5
| project Timestamp, DeviceName, InitiatingProcessFileName, UserPrincipalName, Location

Sigma — Sideloaded App with Surveillance Permissions

SIGMAtitle: Android Sideloaded App with Surveillance Permission Set
id: 9f2a4b7c-d8e1-4c5f-a3b6-1e7d9c4f8a52
status: experimental
description: |
    Detects Android app installation from non-Play Store sources with camera,
    microphone, SMS, location, and accessibility permissions simultaneously.
    This permission combination is the defining fingerprint of mobile spyware
    including ZeroDayRAT.
references:
    - https://intel.threadlinqs.com/#TL-2026-0116
    - https://iverify.io/blog/breaking-down-zerodayrat---new-spyware-targeting-android-and-ios
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
    - attack.collection
    - attack.t1429
    - attack.t1512
    - attack.t1412
    - attack.t1430
    - attack.credential_access
    - attack.t1417.001
logsource:
    category: app_install
    product: android
detection:
    selection_source:
        install_source|not: 'com.android.vending'
    selection_perms:
        permissions|contains|all:
            - 'CAMERA'
            - 'RECORD_AUDIO'
            - 'READ_SMS'
            - 'ACCESS_FINE_LOCATION'
            - 'BIND_ACCESSIBILITY_SERVICE'
    condition: selection_source and selection_perms
falsepositives:
    - Parental control applications with broad permissions
    - Enterprise MDM/EMM agent applications
level: critical

Sigma — Banking Overlay Attack Detection

SIGMAtitle: Banking Overlay Attack - Screen Overlay Permission Abuse
id: 4d6e8f1a-b2c3-4a5d-9e7f-3c8b1d5a6e92
status: experimental
description: |
    Detects applications displaying overlays on banking and payment apps.
    ZeroDayRAT uses SYSTEM_ALERT_WINDOW to render fake login screens over
    PhonePe, Google Pay, PayPal, and banking applications.
references:
    - https://intel.threadlinqs.com/#TL-2026-0116
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
    - attack.credential_access
    - attack.t1417.002
    - attack.collection
    - attack.t1513
logsource:
    category: app_activity
    product: android
detection:
    selection_overlay:
        event_type: 'overlay_displayed'
    selection_target:
        foreground_app|contains:
            - 'phonepe'
            - 'googlepay'
            - 'paytm'
            - 'paypal'
            - 'banking'
            - 'apple.mobilepayment'
    condition: selection_overlay and selection_target
falsepositives:
    - Chat bubble overlays displayed over banking apps
    - Accessibility-based autofill services
level: critical

Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence

The Hacker News reporting on ZeroDayRAT mobile spyware enabling real-time camera/microphone surveillance, clipboard hijacking, and SMS OTP interception.

Indicators of Compromise

Behavioral Indicators

ZeroDayRAT IOCs are primarily behavioral rather than hash-based, as the platform is actively updated and repackaged:

Category	Indicator	Context
Permission	Camera + Mic + SMS + Location + Accessibility + Overlay combined	Spyware permission signature — extremely rare in legitimate apps
Background Activity	Persistent high-frequency outbound connections to non-CDN servers	Real-time surveillance phone-home beacon
Accessibility	Unknown accessibility service enabled from sideloaded app	Keylogging and overlay attack enabler
Clipboard	Cryptocurrency wallet addresses modified after copy	Clipboard hijacking for financial theft
Battery/Data	Unexplained battery drain + elevated mobile data usage	Continuous sensor access and data exfiltration
SMS	Non-messaging app reading SMS content	OTP interception for 2FA bypass
Overlay	UI overlay displayed on banking/payment applications	Credential capture via fake login screen

Network Indicators

Specific C2 domains and IP addresses were not published in the iVerify analysis. Detection relies on behavioral patterns: persistent background connections pulling location, audio, and video data out to non-CDN infrastructure. The volume of data is noisy enough that network monitoring should catch it if you know what to look for.

Delivery Indicators

• Unsolicited SMS containing links to APK downloads or fake app store pages
• WhatsApp/Telegram messages with urgency-creating content linking to app downloads
• Applications requesting sideloading (installation from "unknown sources")

Timeline

Date	Event
2024-01-01	Commercial spyware market established at government tier: Pegasus ($8M), Predator ($6M), Hermit
2025-01-01	Google TAG, Citizen Lab, Amnesty Tech document 30+ commercial surveillance vendors
2026-02-02	ZeroDayRAT first observed active on Telegram with sales and support channels
2026-02-16	iVerify publishes technical breakdown with C2 dashboard screenshots
2026-02-16	Cyber Security News, SecurityWeek, The Hacker News, Bleeping Computer amplify findings
2026-02-16	iVerify confirms infected devices in India (Bengaluru) and the United States
2026-02-16	Active development confirmed — developer maintains regular Telegram updates

MITRE ATT&CK Mapping (Mobile)

Tactic	Technique	ID	Description
Initial Access	Phishing	T1660	Smishing with malicious APK/iOS download links
Persistence	Foreground Persistence	T1541	Background service maintaining C2 connection
Defense Evasion	Suppress Application Icon	T1628.001	Hidden from app drawer after installation
Defense Evasion	Masquerading	T1655.001	Disguised as legitimate utility application
Credential Access	Input Capture: Keylogging	T1417.001	Full keystroke capture with app context
Credential Access	Input Capture: GUI Input Capture	T1417.002	Banking overlay credential theft
Collection	Location Tracking	T1430	GPS coordinates with full location history
Collection	Access Notifications	T1517	All app notifications intercepted
Collection	Capture SMS Messages	T1412	Full SMS access including OTP interception
Collection	Screen Capture	T1513	Live screen recording
Collection	Capture Camera	T1512	Front and rear camera streaming
Collection	Audio Capture	T1429	Real-time microphone feed
Collection	Protected User Data: Contact List	T1636.003	Complete contact extraction
Impact	Clipboard Modification	T1510	Crypto wallet address replacement
Impact	Financial Theft	T1657	Banking overlay + crypto clipboard hijacking
Command and Control	Web Service	T1481	Browser-based C2 panel
Exfiltration	Exfiltration Over C2 Channel	T1646	All collected data exfiltrated over C2

Full MITRE ATT&CK Mobile mapping: View coverage on Threadlinqs

TL-2026-0116 on Threadlinqs Intelligence — ZeroDayRAT commercial mobile spyware with Telegram-based C2 and cross-platform Android/iOS surveillance capabilities.

Recommendations

1. Disable sideloading on all managed Android devices via MDM — Settings > Install unknown apps should be policy-enforced to off
2. Replace SMS-based 2FA with TOTP authenticator apps or FIDO2 hardware keys — ZeroDayRAT intercepts SMS OTPs completely
3. Deploy mobile threat detection (iVerify, Lookout, Zimperium) on managed and BYOD devices to detect spyware behavioral indicators
4. Enable iOS Lockdown Mode on high-value targets — it blocks many attack vectors used by commercial spyware
5. Verify cryptocurrency addresses manually before confirming transfers — clipboard hijacking silently replaces wallet addresses

References

• Breaking Down ZeroDayRAT: New Spyware Targeting Android and iOS — iVerify, February 16, 2026
• New ZeroDayRAT Spyware Kit Enables Total Compromise of iOS, Android Devices — SecurityWeek, February 2026
• New ZeroDayRAT Mobile Spyware Enables Real-Time Surveillance — The Hacker News, February 2026
• ZeroDayRAT Malware Grants Full Access to Android, iOS Devices — Bleeping Computer, February 2026
• New ZeroDayRAT Attacking Android and iOS — Cyber Security News, February 16, 2026
• MITRE ATT&CK Mobile Matrix — MITRE
• Google TAG — Commercial Surveillance Vendors — Google Threat Analysis Group
• Citizen Lab — Targeted Threats Research — Citizen Lab

---

Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0116.