ZeroDayRAT: A Next-Generation Mobile Espionage and Financial Theft Platform

Cyber Threats Malware Analysis

The MaaS (Malware as a Service) model continues to evolve in the world of cybercrime. This new mobile spyware platform, dubbed “ZeroDayRAT” and examined by Cyberthint researchers, allows anyone without technical expertise to become an advanced cyber spy.

Actively marketed through Telegram channels since February 2, 2026, this platform targets Android and iOS devices, combining real-time surveillance with direct financial theft within a single browser panel.

What is ZeroDayRAT and How Does it Work?

ZeroDayRAT is a toolkit that goes beyond classic data theft, aiming to compromise the target’s digital and physical life. Attackers purchase this service via Telegram and attempt to install an APK (Android) or Payload (iOS) onto the victim’s device.

Transmission/Enfection Vectors

The most common method is Smishing (SMS Phishing) attacks. Victims are sent fake links that appear to be from legitimate applications or updates. Manipulative links shared via fake app stores and WhatsApp/Telegram also play a critical role in the infection chain.

Control Panel: What Can an Attacker See?

As can be seen in the panel image below, the malware claims to support even Android 16 and iOS 26.2 versions. This indicates that the software can run on a wide range of versions and is constantly being updated.

ZeroDayRAT’s most prominent feature is the user-friendly and comprehensive control panel it offers to the attacker. When a device is infected, the operator gains instant access to the following data:

Digital Profiling (Overview)

The panel’s login screen reveals the victim’s digital identity:

  • Device model, battery status, carrier information
  • Most frequently used applications and activity timeline
  • Who the victim spoke to and their last SMS messages

Real-time Tracking and Surveillance

Beyond data collection, ZeroDayRAT transforms into a physical tracking device:

  • Live Location: GPS data is tracked in real-time on Google Maps, and past location history is reported.
  • Ambient Listening and Monitoring: The attacker can monitor the surroundings live by activating the device’s front/rear camera and microphone.
  • Screen Recording and Keylogger: While the victim’s screen is being monitored live, every keystroke (including passwords) is recorded with millisecond precision.

The analysis image below shows that the attacker used the live camera stream to display a handwritten note while simultaneously recording the screen.

In addition, with its advanced Keylogger module, it reports every keystroke, clipboard data, biometric unlock actions, and application transitions made by the victim with millisecond precision.

Financial Theft Modules: Crypto Wallets and Bank Accounts are the Targets

The platform not only provides surveillance but also includes specialized modules designed to generate direct financial gain:

  • Crypto Wallet Stealing: Scans wallet applications like MetaMask, Trust Wallet, Binance, and Coinbase. Using Clipboard Injection techniques, when a victim copies a wallet address, the attacker replaces it with their own wallet address, redirecting transfers to themselves.
  • Banking and Payment Systems: Steals login credentials by performing Overlay attacks on Apple Pay, Google Pay, PayPal, and local payment systems.
  • OTP Bypassing: Captures one-time passwords (2FA) from banks in real-time via SMS access.

A New Era in the Mobile Threat Landscape

ZeroDayRAT demonstrates that espionage capabilities previously available only to state-sponsored actors are now being sold as ready-made packages via Telegram.

Other Current Mobile Threats

Reports indicate that other mobile threats such as Arsink (a RAT using Google Apps Script), Anatsa (a banking Trojan), and NFCShare (malware that steals contactless payment data) are also on the rise simultaneously with ZeroDayRAT. In particular, NFC-based attacks (Ghost Tap) allow for theft via POS devices by copying physical card data.

HUMINT Analysis

Demo Video Review

Analyzing the attack vectors featured in the demo tutorial video obtained from the attacker, we found that the threat actor used a multi-stage redirection technique to gain the victims’ trust and bypass security filters. And the provider claims that 1-click is enough to compromise the victims.

URL Masking: As seen in the WhatsApp screenshot in the video, the attackers are using URL shortening services like “2cm.es” (e.g., “http(s)://2cm.es/1oDIZ”) to conceal the true target of the malicious link.

Legitimate Infrastructure Usage: When the shortened link was clicked, the victim was redirected to “mhko78-gui.github.io” (although the full URL is not clear). The attackers’ use of a trusted and legitimate platform like GitHub Pages to host the malicious payload or phishing page indicates their intention to bypass reputation-based security filters.

Seller Verification and Escrow Details

To verify the seriousness of the threat, we contacted the threat actor via Telegram, posing as a recipient. These conversations revealed crucial details that reduced the likelihood of the threat being a scam.

Selling Prices:

  • Daily: $250
  • Weekly: $1000
  • Monthly: $3500

Escrow Testing

Because fraud is common in the underground market, the seller was asked if they used Escrow (Trusted Broker/Custodian). The seller stated that they accepted the Escrow service of XSS Forum, one of the well-known forums in the cybercrime world.

Analyst Note

A seller accepting the mediation of a platform with a reputation in the criminal underworld, such as XSS Forum, demonstrates confidence that their product (ZeroDayRAT) actually works. Scammers typically refuse to use escrow. This strengthens the possibility that ZeroDayRAT is a functional and active threat.

Some Technical Inconsistencies and Scam Suspicion: ChatGPT Trace

However, an examination of the visual evidence provided by ZeroDayRAT revealed a critical detail that undermined the credibility of the operation. The screenshot showcasing the cryptocurrency theft module clearly displays the heading “Create USDT Wallet Address” in the browser’s top tab.

Analyst Note

This tab heading indicates that the seller was currently attempting to generate fake USDT wallet addresses or code blocks using ChatGPT or a similar AI tool.
Static Addresses: The fact that the wallet addresses (TQ9…) displayed in the panel appear to be sample data, along with the tab detail at the top, strengthens the possibility that this panel might actually be a fake interface designed purely for visual purposes, without any functionality.
The Paradox: While the seller’s acceptance of escrow offers some reassurance, this technical flaw (OpSec failure) also leaves the risk that the product could be an overhyped scam.

Tips for Detecting and Protecting Against Next-Generation Mobile Spyware

For organizations and individual users, mobile security is no longer an option, but a necessity.

  • Zero Tolerance for Suspicious Links: Never click on links in SMS messages, WhatsApp messages, or emails from unknown numbers. Panic-inducing messages, especially those related to emergencies, shipment tracking, or bill payments, are the primary method of infection for this malware.
  • Mobile EDR and MDM Solutions: Traditional antivirus software may be insufficient. Mobile security solutions that perform behavioral analysis and IoC scanning should be used.
  • Hardware-Based Security: For account security, authenticator applications or hardware keys should be preferred over SMS-based 2FA.
  • Regular Checks: Anomalies such as sudden increases in your phone’s battery drain, excessive data usage, or screens turning on spontaneously could be signs of spyware.

Author

Cyberthint

Comments (0)

  1. Zafar
    23 March 2026
    Reply

    Darknet bronza

Leave a comment

Your email address will not be published. Required fields are marked *