By rssfeeds-admin 
Sold openly on Telegram channels since February 2, 2026, it hits Android and iOS devices hard. Attackers get a single browser-based panel for real-time monitoring and direct money grabs.
This toolkit doesn’t just steal data it invades victims’ digital and physical worlds. Cyberthint’s probe shows it’s actively marketed with demos, pricing, and escrow options, blending advanced spying with financial theft.
ZeroDayRAT’s Mechanics and Stealthy Spread
ZeroDayRAT starts with simple buys on Telegram: attackers grab an APK for Android or a payload for iOS. The top infection path is smishing fake SMS links mimicking app updates or legit stores.
Attackers also push manipulative links via WhatsApp, Telegram, or phony app stores. Once installed, it claims compatibility with Android 16 and iOS 26.2, suggesting a broad reach and ongoing updates.
The real power lies in its sleek control panel. Upon infection, operators see a full victim profile: device model, battery level, carrier details, top apps, activity timelines, recent calls, and SMS logs.
According to Cyberthint, Surveillance ramps up with live GPS on Google Maps, including history. Attackers activate front- and rear-facing cameras and microphones for ambient listening.
Screen recording captures every move, paired with a keylogger that logs keystrokes, clipboard data, biometrics, and app switches in milliseconds. Cyberthint spotted demos where attackers streamed live camera feeds alongside screen grabs, even showing handwritten notes.
Financial modules make it deadly. It scans crypto apps like MetaMask, Trust Wallet, Binance, and Coinbase, using clipboard injection to swap victim addresses with attackers’.
Banking hits via overlays on Apple Pay, Google Pay, PayPal, and locals, plus real-time OTP grabs from SMS. Known IOCs include these suspicious domains from demos:
| Indicator Type | Value | Notes |
|---|---|---|
| URL Shortener | hxxp://2cm.es/1oDIZ | Used in WhatsApp smishing redirects |
| Hosting Domain | mhko78-gui.github.io | GitHub Pages for phishing payloads |
| Sample Wallet | TQ9… (USDT) | Static addresses in fake panels |
This GitHub abuse dodges reputation filters via multi-stage redirects.
Threat Reality, Scam Risks, and Defense Essentials
ZeroDayRAT echoes elite-state tools now sold cheaply: daily access at $250, weekly at $1,000, monthly at $3,500. Sellers use XSS Forum escrow a cybercrime staple that signals legitimacy while scammers often avoid it.
Demos show one-click compromises via trust-building tricks. Yet red flags pop up: panel screenshots reveal ChatGPT tabs like “Create USDT Wallet Address,” with static sample addresses.
This OpSec slip suggests a flashy fake interface, though escrow hints at some functionality. It joins rising mobile woes like the Arsink RAT, the Anatsa trojan, and NFCShare’s Ghost Tap in targeting POS thefts.
Users and firms must act. Skip all suspicious SMS/WhatsApp/email links, especially urgent ones on shipments or bills.
Ditch SMS 2FA in favor of app authenticators or hardware keys. Deploy mobile EDR/MDM for behavioral checks and IOC scans standard AV solutions fall short.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post ZeroDayRAT Malware Targets Android and iOS, Stealing Sensitive Data From Millions appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.