NEW ZeroDayRAT is a commercial mobile spyware toolkit that enables full remote access to Android and iOS devices, with features including live camera feeds, key logging, bank and crypto theft and more, according to SecurityWeek. It is available via Telegram and was first observed on 2 February 2026, having been analysed by iVerify, according to iVerify.
The operators set up a self-hosted panel and a builder to generate payloads that phone home to their infrastructure, with infection requiring delivery of a malicious binary, the article notes. Distribution is via phishing links, smishing, trojanised apps on third-party stores and social engineering, among other methods, and there may be an exploit capability in the toolkit, though this cannot be confirmed, according to Daniel Kelley, a research fellow at iVerify.
Capabilities on a target device include profiling, location tracking with embedded Google Maps, live surveillance such as camera streaming, screen recording and microphone access, and detailed extraction of app usage and account data. SecurityWeek describes ZeroDayRAT as a “complete mobile compromise toolkit” comparable to kits normally requiring nation-state resources to develop.