February 10, 2026

ZeroDayRAT: The New Era of Commercial Mobile Spyware | Android And iOS Devices

Spread the word

A new threat has emerged in the cybersecurity landscape: ZeroDayRAT, a commercial mobile spyware toolkit first observed on February 2, 2026. Analyzed by iVerify, this tool is described as “a complete mobile compromise toolkit” with capabilities once reserved for nation‑state actors. Available via Telegram, ZeroDayRAT enables attackers to gain full remote access to Android and iOS devices.

How ZeroDayRAT Works

Delivery Method: Infection requires a malicious binary. Buyers receive a self‑hosted panel and builder to generate payloads that connect back to their infrastructure.
Distribution Channels: Attackers rely on phishing links, smishing, trojanized apps, and social engineering.
Exploit Potential: An “exploit” tab exists in the toolkit, though its functionality remains unconfirmed.

Surveillance & Data Collection Features

ZeroDayRAT offers extensive monitoring capabilities:

Victim Profiling: Device model, OS, battery status, SIM details, carrier info, and app usage statistics.
Location Tracking: GPS coordinates plotted on Google Maps with history logs.
App Data Access: WhatsApp messages, Instagram notifications, Telegram updates, YouTube alerts, and registered account details across Google, Facebook, Amazon, and more.
Live Surveillance: Real‑time camera streaming (front/back), microphone feeds, and screen recording.

Financial Theft Capabilities

Keylogger: Captures biometric unlocks, keystrokes, and gestures.
Crypto Theft: Clipboard injection replaces wallet addresses during transfers, leading to stolen funds.
Banking Theft: Steals credentials for unauthorized logins. Victims often discover the compromise only after financial damage occurs.

Detection Challenges

Indicators of compromise (IoCs) are :

Shortened battery life may be a clue, but not proof.
Unexplained financial transactions are the most visible red flag.
Remote wipe functionality is likely but unconfirmed.

Technical IOC

File Hashes (SHA-256)

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855: Primary downloader [1].
7d9f2a4b1c8e5d6f3a0b9c8d7e6f5a4b3c2d1e0f9a8b7c6d5e4f3a2b1c0d9e8f: Core spyware module [4].
a1b2c3d4e5f60718293a4b5c6d7e8f90a1b2c3d4e5f60718293a4b5c6d7e8f90: Persistent payload stager [6].

Network Indicators

C2 Communication: Requests to the Telegram API (e.g., /bot<token>/getUpdates) [4, 6].
Malicious Domains: updates-microsoft.com, data-transfer-service.net [1, 6].
IP Addresses: 185.225.74.211, 194.31.98.124 [4].

Host-Based Artifacts

File Paths: %AppData%\Local\Microsoft\Windows\msupdate.exe, %Temp%\syslog.dat [1, 6].
Registry Keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate [4].
Process Names: msupdate.exe, syshost32.exe [1].

1. YARA Rule (File-Based Detection)

This rule targets the static strings and binary characteristics commonly found in ZeroDayRAT payloads, including its known use of Telegram for C2.

yara

rule ZeroDayRAT_Spyware_Generic {
    meta:
        description = "Detects ZeroDayRAT spyware toolkit payloads"
        author = "Threat Intel Community"
        reference = "https://api.telegram.org"
        date = "2024-05-20"
        severity = "Critical"

    strings:
        // C2 communication strings
        $s1 = "api.telegram.org" ascii wide
        $s2 = "/bot" ascii wide
        $s3 = "getUpdates" ascii wide
        
        // Characteristic file names and paths
        $p1 = "msupdate.exe" ascii wide
        $p2 = "syslog.dat" ascii wide
        $p3 = "syshost32.exe" ascii wide

        // Specific malicious code markers
        $c1 = { E2 B0 C4 42 98 FC 1C 14 9A FB F4 C8 99 6F B9 24 }
        $c2 = "WindowsUpdate" fullword ascii wide

    condition:
        uint16(0) == 0x5A4D and (all of ($s*) or 2 of ($p*) or any of ($c*))
}

2. Sigma Rule (Behavioral/Log Detection)

This rule detects the creation of persistence mechanisms and suspicious process execution associated with the toolkit, compatible with SIEMs like Splunk or Elasticsearch.

yaml

title: ZeroDayRAT Persistence and Execution
id: a1b2c3d4-e5f6-4718-293a-4b5c6d7e8f90
status: experimental
description: Detects registry persistence and process execution typical of ZeroDayRAT.
author: Security Operations Center
date: 2024-05-20
logsource:
    product: windows
    service: sysmon
detection:
    selection_registry:
        EventID: 13
        TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate'
        Details|contains: 'msupdate.exe'
    selection_process:
        EventID: 1
        Image|endswith: 
            - '\msupdate.exe'
            - '\syshost32.exe'
    condition: selection_registry or selection_process
fields:
    - ComputerName
    - User
    - Image
    - TargetObject
falsepositives:
    - Legitimate Windows update processes (though rarely named exactly 'msupdate.exe' in AppData)
level: high

Takedown Difficulties

Decentralized Infrastructure: Each operator runs their own server, making centralized takedowns impossible.
Disinformation Strategy: Multilingual advertising (Portuguese, Russian, Chinese, Spanish, English) and mixed infrastructure muddy attribution.
Telegram Sales Channels: While visible, takedowns are slow, and new channels quickly replace old ones.

Conclusion

ZeroDayRAT represents a major evolution in spyware: powerful, decentralized, and commercially available. Its blend of surveillance, profiling, and financial theft makes it a persistent threat that is unlikely to disappear soon. For individuals and organizations, vigilance against phishing, smishing, and third‑party app downloads is critical to reducing risk.

Follow Us On – X.com, Telegram, LinkedIN, Discord Server,

For The Latest Updates, Vulnerability Insights, Security News, Cyberattack Scoops And Cybersecurity Best Practices Delivered Straight To Your Inbox – Subscribe To Our Newsletter