ZeroDayRAT: Commercial spyware kit offers comprehensive remote control of Android and iOS devices

A newly observed spyware product, distributed through messaging channels, packages an expansive set of offensive features into a turnkey, self-hosted system for mobile compromise. Buyers receive a management panel and payload builder that, once paired with operator infrastructure, can generate installers that phone home to attacker-controlled servers; distribution is left to operators via phishing, trojans, or social engineering. The toolkit collects detailed device and user metadata—device model, OS status, SIM and carrier identifiers, app usage logs and message previews—creating a rich profile for follow-on fraud or targeted deception. It also records and plots location traces on an embedded map, allowing continuous tracking and historical movement reconstruction. The platform supports real-time surveillance: remote camera activation, on-demand screen capture and live audio monitoring enable simultaneous sight, sound and location correlation on a victim. Input capture is comprehensive, recording touch patterns, biometric unlocks and typed characters, which can be used to harvest credentials and other secrets. Financial compromise is implemented in two ways: clipboard-manipulation routines that substitute crypto addresses during transfers, and credential harvesting aimed at account takeover rather than immediate fund transfers. Indicators of infection are subtle and few; battery drain and unexplained outgoing payments may be the earliest observable signs, complicating detection for nontechnical users. The authors appear to obscure origin and intent by advertising in multiple languages and using diverse infrastructure, a tactic that fragments attribution and complicates law enforcement response. Because each customer hosts their own control instance, takedown efforts face a multiplication problem—taking down one server or channel does not eliminate other active instances. Compounding that resilience, separate campaigns have shown operators using droppers masquerading as legitimate utilities and abusing public file or machine-learning asset repositories to host payloads; they rotate hosting links and push automated payload revisions at a rapid cadence to evade removal. The combination of affordable access, powerful monitoring tools and decentralized operations raises the likelihood of targeted extortion, identity theft, and coordinated financial siphoning at scale. Defensive posture should prioritize threat hunting for behavioral anomalies, automated monitoring for transaction integrity, hardened mobile configurations that limit background privilege escalation, and active monitoring of public collaboration platforms and repository hosting to detect illicit payload hosting. The arrival of this product highlights a shift: high-capability mobile surveillance is now available outside traditional state or bespoke markets, changing the risk calculus for high-value individuals, journalists, and financial services.