Threat actor xone9to1 is selling a self-proclaimed “Pegasus-like” zero-click Remote Access Trojan (RAT) spyware on underground cybercrime forums, claiming compatibility with iPhone 17 running iOS 26.2 and Android 5-16 without requiring APK/IPA installation or user interaction.
No-Install Infection Mirrors Pegasus Zero-Clicks
Advertised as exploiting zero-day vulnerabilities in messaging/background processes, the RAT allegedly infects silently via system flaws—bypassing traditional app installs, link clicks, or permissions like NSO Group’s iMessage exploits. Claims echo ZeroDayRAT’s cross-platform Telegram sales for real-time surveillance.
Core features include device/SIM/network intel, live GPS tracking with history, real-time notifications, call logs/contacts/SMS (OTP viewer), WhatsApp monitoring. Social media access spans Google, Facebook, Instagram, Twitter, Telegram, Spotify—all extracted without detection.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
Device Sabotage & Live Surveillance Suite
Advanced controls enable remote lock/power-off, ringer/brightness manipulation, DDoS botnet integration. File manager with encryption, front/back camera streaming, screen recording/microphone access, keylogger provide total surveillance mirroring commercial spyware like Pegasus variants.
Specialized stealers target MetaMask, Trust Wallet, Binance, UPI, Apple Pay, Google Pay, PayPal—automated credential/financial data exfiltration. Banking trojan capabilities position it for ransomware precursors or targeted fraud campaigns.
xone9to1’s April 2, 2026 forum post follows ZeroDayRAT’s February Telegram launch (Android 5-16/iOS 26 support) and DarkSword’s March iOS zero-clicks (iOS 18.4-18.7). Pegasus-style no-touch infections democratize nation-state tools for cybercriminals.
Forum Sales Model Fuels Accessibility
Like IM-RAT takedowns (2019) and XWorm RATs, subscription-based panels enable builder customization, C2 hosting. Educational YouTube breakdowns accelerate adoption among mid-tier actors lacking zero-day R&D.
Targets latest iPhone 17 firmware, claiming evasion of Memory Integrity Enforcement. Android 5-16 breadth suggests broad legacy device coverage where patching lags—potentially hundreds of millions vulnerable if claims hold.
Defense: ZeroDayRAT-Like Mitigations Apply
Update to latest iOS 26.3.1+/Android security patches; enable Lockdown Mode; audit OAuth apps; monitor anomalous battery drain/camera usage. Enterprises must scan messaging vectors, restrict background processes mirroring DarkSword/Salesforce defenses.
Forum commoditization of zero-click capabilities—once NSO exclusives—signals mobile surveillance arms race. xone9to1’s April 2026 entry follows 2023-2026 exploit leaks, transforming state-sponsored tools into cybercrime Malware-as-a-Service.
Journalists, activists, executives, crypto holders face elevated risks from vishing-free infections. Financial modules target UPI/digital wallets prevalent in India, amplifying regional threat from global spyware proliferation.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
