TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE MOBILE SECURITY REMOTE WORKFORCE VULNERABILITIES & THREATS NEWS In Bypassing MFA, ZeroDayRAT Is 'Textbook Stalkerware' With access to SIM, location data, and a preview of recent SMSes, attackers have everything they need for account takeover or targeted social engineering. Alexander Culafi, Senior News Writer, Dark Reading February 10, 2026 3 Min Read SOURCE: CALADO VIA ALAMY STOCK PHOTO A new malware family takes spyware, surveillance, and info-stealing capabilities and bundles them for mass-market criminals. That's according to mobile security vendor iVerify, which published new research today concerning "ZeroDayRAT," a spyware family being sold openly on Telegram. Buyers get access to a panel with direct access to the developer, featuring channels for sales, customer support, and platform updates. As is typical with these kinds of campaigns, ZeroDayRAT reaches victims through a malicious binary (an APK for Android; a payload for iOS), generally through social engineering. "The most common way that happens is smishing: the victim gets a text with a link, downloads what looks like a legitimate app, and installs it," iVerify threat research Daniel Kelley writes. "Phishing emails, fake app stores, and links shared over WhatsApp or Telegram all work too." The spyware can steal user credentials and financial data, but not just that. ZeroDayRAT is capable of conducting real-time surveillance. Although it may not necessarily be as sophisticated as the cutting edge zero-day exploits sold to nation-state actors, the capabilities in place resemble commercial spyware to some degree. Related:'Reynolds' Bundles BYOVD With Ransomware Payload Exploited against an organization, this can give the attacker complete access over an employee's mobile device — a potentially devastating threat for the remote workforce. "For enterprises, a compromised employee device is a vector for credential theft, account takeover, and data exfiltration," the blog post read. "For individuals, it means total loss of privacy and direct financial exposure. Mobile device security needs to be treated with the same urgency as endpoint and email security." When a ZeroDayRAT Infects a Mobile Device According to the research blog, support for the malware spans Android 5 through 16 and iOS up to 26. For the attacker, no technical expertise is required. Once a threat actor is in the target's device, they have access to a complete overview of the phone's makeup, including device model, SIM, location data, carrier info, live activity timeline, a preview of recent SMS messages, and more. Every account registered to the device, like Google, Amazon, social media, and more, is similarly enumerated and detailed. It's enough to build a complete profile and, Kelley writes, "is basically everything an attacker needs to attempt account takeover or launch targeted social engineering." These features come with complete control over SMS (including the ability to send messages), effectively bypassing multifactor authentication (MFA). There's also a keylogger, microphone feed, screen recorder, bank stealer, and crypto stealer. Related:EnCase Driver Weaponized as EDR Killers Persist Kelley tells Dark Reading that ZeroDayRAT is "textbook stalkerware." "That makes journalists, activists, and domestic abuse victims all viable targets depending on who is operating it," he says. "Enterprises with loose BYOD policies are also at risk, particularly those without mobile device management or strict app vetting. The victim profile depends entirely on the buyer, but the price point and capability set suggest someone specific is always in mind." A New Landscape for Mobile RATs While many malware kits on the market can be bought and sold for the equivalent of a few hundred dollars, Kelley says the threshold for full access is $2,000, putting it outside traditional "script kiddie" territory. The reason for this price point is that the feature set is "comprehensive" and it claims it can compromise iOS devices, signaling higher-than-average ambitions. Despite the high price, financially motivated operators, private investigators, and other buyers with resources widens the target market for surveillance malware, according to Andrew Costis, engineering manager of the adversary research team at security vendor AttackIQ. Related:Data Tool to Triage Exploited Vulnerabilities Can Make KEV More Useful "From a risk perspective, this represents a convergence of nation-state-level capabilities with criminal economics," Costis says. "Features once reserved for high-cost, targeted intelligence operations are increasingly commoditized and accessible to financially motivated actors, insider threats, or competitors seeking asymmetric advantage. While the most likely near-term victims remain SMBs and individual users, the same tooling can be repurposed against enterprises through executive targeting, mobile device compromise, or supply-chain access paths." To combat ZeroDayRAT, organizations can consider a mobile endpoint security tool. They should also prioritize familiarizing themselves with how threat actors abuse social engineering to spread mobile malware. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk Beyond the Model: The Expanded Attack Surface of AI Agents AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns AI-Powered Cloud Security Posture Management More Webinars You May Also Like THREAT INTELLIGENCE Stealthy Linux 'Auto-color' Backdoor Infests US Institutions by Elizabeth Montalbano, Contributing Writer FEB 26, 2025 THREAT INTELLIGENCE Trump Targets Krebs, Revokes SentinelOne Security Clearance by Kristina Beek, Associate Editor, Dark Reading APR 10, 2025 THREAT INTELLIGENCE Cybercrime's Cobalt Strike Use Plummets 80% Worldwide by Nate Nelson, Contributing Writer MAR 07, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice THREAT INTELLIGENCE EnCase Driver Weaponized as EDR Killers Persist byRob Wright FEB 5, 2026 4 MIN READ CYBERSECURITY OPERATIONS Extra Extra! Announcing DR Global Latin America byTara Seals FEB 4, 2026 2 MIN READ CYBER RISK TransUnion's Real Networks Deal Focuses on Robocall Blocking byJeffrey Schwartz FEB 9, 2026 2 MIN READ Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk THURS, FEB 19, 2026 AT1PM EST The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk ON-DEMAND WEBINAR Beyond the Model: The Expanded Attack Surface of AI Agents THURS, FEB 26, 2026 AT 1PM EST AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns THURS, FEB 12, 2026 AT 11AM ET AI-Powered Cloud Security Posture Management WED, FEB 18,2026 AT 1:00PM EST More Webinars White Papers The Threat Prevention Buyer's Guide FInd the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Troubleshooting Guide for the Service Desk Teams Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use