ResokerRAT Uses Telegram Bot API to Control and Persist on Windows Hosts
K7 Security Labs identified ResokerRAT, a Windows remote access trojan that uses Telegram’s Bot API as its command-and-control channel instead of dedicated attacker infrastructure. The malware, delivered as Resoker.exe, polls Telegram endpoints such as getUpdates with hardcoded bot credentials and chat IDs, allowing commands and stolen data to move over trusted HTTPS traffic to api.telegram.org, which can make network-based detection more difficult.
Researchers said the malware supports screen capture, keylogging, file download, privilege escalation, and persistence, while also attempting to evade analysis and disrupt defenders. ResokerRAT creates a mutex, checks for debuggers, relaunches with administrator rights, blocks tools including Task Manager and Process Hacker, weakens UAC-related settings, and adds itself to the Windows Run registry key for startup execution. Defenders were urged to monitor suspicious outbound Telegram API traffic, Run key persistence, restricted PowerShell activity, and user reports that security or system tools suddenly cannot be opened.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Media reports disclose ResokerRAT's Telegram-based C2 and evasion features
News coverage publicized ResokerRAT as a Windows RAT delivered as Resoker.exe that communicates with attackers through hardcoded Telegram bot credentials over HTTPS to api.telegram.org. Reports highlighted its persistence via the Run registry key, interference with tools such as Task Manager and Process Hacker, and recommendations for defenders to monitor suspicious Telegram API traffic and related host-based indicators.
K7 Security Labs publishes technical report on ResokerRAT
A technical report by K7 Security Labs researcher Priyadharshini documented a newly identified Windows remote access trojan called ResokerRAT. The report described its use of Telegram Bot API for command-and-control, along with capabilities including persistence, privilege escalation, anti-analysis, screenshot capture, keylogging, and downloading additional payloads.
Breakglass Intelligence publishes first public report on ResokerRAT
Breakglass Intelligence published an early technical analysis of a newly documented 64-bit Windows RAT called Resoker that used the Telegram Bot API as its sole command-and-control channel. The report detailed active bot infrastructure, capabilities such as screenshots, keylogging, persistence and UAC manipulation, and multiple OPSEC failures that made the malware straightforward to detect.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Novel ResokerRAT malware exploits Telegram API to target Windows systems | brief | SC Media
scworld.com
Open sourceNew ResokerRAT Uses Telegram Bot API to Control Infected Windows Systems
cybersecuritynews.com
Open sourceHackers Deploy Telegram-Based ResokerRAT With Screenshot and Persistence Features - Cyber Security News
cybersecuritynews.com
Open sourceResoker RAT: First Report on a Telegram-Controlled Trojan With Every OPSEC Failure in the Book - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Resoker and CrySome RATs Expand Windows Remote Access and Evasion Capabilities
Security researchers detailed two Windows-focused remote access trojans, **ResokerRAT** and **CrySome RAT**, that use different command-and-control approaches while emphasizing stealth and persistent access on compromised systems. ResokerRAT was reported abusing the **Telegram API** as its control channel, allowing operators to issue commands to infected Windows hosts through a legitimate messaging platform and blend malicious traffic with normal network activity. Analysis described capabilities associated with remote command execution, host control, and data handling, highlighting Telegram-based C2 as a low-cost and resilient mechanism for managing infections. CrySome RAT was separately identified as an advanced **.NET** malware family with a broader feature set aimed at long-term compromise and operator concealment. Researchers said the malware includes **AV-killer** functionality to disable security tools and **HVNC** support, enabling attackers to interact with victim machines through hidden virtual desktop sessions without alerting users. Together, the reports show continued development of commodity and advanced RAT tooling for Windows environments, with threat actors combining trusted services, defense evasion, and covert remote-control features to improve persistence and reduce detection.
Jun 22, 2026
New Remote Access Trojans Expand Stealth and Surveillance Capabilities
Threat researchers reported multiple **remote access trojan (RAT)** developments that emphasize stealth, surveillance, and post-exploitation flexibility. A new **Remcos RAT** variant was observed adding real-time surveillance features (including on-demand webcam streaming) and keystroke transmission, while improving evasion through modular DLL plugins, encrypted C2 with in-memory-only config decryption, and dynamic API resolution; it also attempts to reduce forensic artifacts by deleting collected data (e.g., screenshots, audio, keylogging output, cookies) and removing persistence-related registry entries. Separately, Elastic detailed a **ClickFix** social-engineering campaign that uses compromised legitimate websites as delivery infrastructure to deploy a previously undocumented Windows RAT dubbed **MIMICRAT** (*AstarionRAT*). The intrusion chain includes a multi-stage PowerShell flow with **ETW and AMSI bypass**, a Lua-based shellcode loader, and HTTPS C2 on port `443` using traffic patterns designed to resemble web analytics; the implant supports token impersonation, SOCKS5 tunneling, and a broad command set, with suspected end goals of **ransomware deployment or data theft**. In parallel mobile-focused reporting, Zimperium described **ZeroDayRAT**, a cross-platform Android/iOS spyware-style RAT distributed via social engineering and sideloaded apps, enabling screen capture, keylogging, and credential/file exfiltration, highlighting continued convergence of surveillance and remote-control capabilities across endpoints.
Mar 21, 2026
Phishing and Trojanized Installers Deliver Remote Access Trojans via Multi-Stage, Evasion-Focused Infection Chains
Multiple active malware campaigns are delivering **remote access trojans (RATs)** using deceptive lures and multi-stage execution chains designed to evade endpoint defenses. Malwarebytes reported a campaign dubbed **DEAD#VAX** that distributes a file masquerading as a “PDF” but actually delivered as a **virtual hard disk (`.vhd`)** hosted via **IPFS**; when opened, Windows mounts the VHD and the victim is tricked into launching a **Windows Script File (`.wsf`)** that ultimately deploys **AsyncRAT**. The chain includes anti-analysis checks and **process injection** into Microsoft-signed binaries such as `RuntimeBroker.exe`, `OneDrive.exe`, `taskhostw.exe`, and `sihost.exe`, enabling hands-on-keyboard remote control while minimizing obvious on-disk artifacts. Separately, reporting described **DesckVB RAT v2.9**, a modular **.NET** RAT using an obfuscated **WSH JavaScript** stager followed by **PowerShell**-based anti-analysis checks and an in-memory (“fileless”) loader, emphasizing persistence and a plugin-based architecture for post-compromise capabilities. Another campaign distributes **ValleyRAT** disguised as a legitimate *LINE* installer, targeting **Chinese-speaking users**; it attempts to weaken defenses by using PowerShell to add broad **Windows Defender exclusions**, performs sandbox checks (e.g., mutex/file-locking behaviors), and uses advanced injection (reported as **PoolParty Variant 7** via Windows I/O completion ports) to hide within trusted processes while stealing credentials and maintaining C2 communications.
Mar 21, 2026