Resoker and CrySome RATs Expand Windows Remote Access and Evasion Capabilities
Security researchers detailed two Windows-focused remote access trojans, ResokerRAT and CrySome RAT, that use different command-and-control approaches while emphasizing stealth and persistent access on compromised systems. ResokerRAT was reported abusing the Telegram API as its control channel, allowing operators to issue commands to infected Windows hosts through a legitimate messaging platform and blend malicious traffic with normal network activity. Analysis described capabilities associated with remote command execution, host control, and data handling, highlighting Telegram-based C2 as a low-cost and resilient mechanism for managing infections.
CrySome RAT was separately identified as an advanced .NET malware family with a broader feature set aimed at long-term compromise and operator concealment. Researchers said the malware includes AV-killer functionality to disable security tools and HVNC support, enabling attackers to interact with victim machines through hidden virtual desktop sessions without alerting users. Together, the reports show continued development of commodity and advanced RAT tooling for Windows environments, with threat actors combining trusted services, defense evasion, and covert remote-control features to improve persistence and reduce detection.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
GBHackers reports ResokerRAT hijacks Telegram API for Windows C2
GBHackers reported that ResokerRAT abuses the Telegram API to command infected Windows PCs. The coverage provided further public technical detail on the malware's command-and-control method and targeting.
GBHackers reports CrySome RAT adds AV killer and HVNC features
GBHackers reported on CrySome RAT, highlighting stealth features including an antivirus killer component and hidden virtual network computing functionality. This reflects additional public technical detail about the malware's capabilities.
K7 Labs publishes research on Resoker Telegram-based RAT
K7 Labs published analysis of Resoker, describing it as a remote access trojan that uses Telegram for command-and-control. This appears to be the first public reporting in the provided references on the malware family.
CYFIRMA publishes analysis of CrySome RAT
CYFIRMA released research describing CrySome RAT as an advanced persistent .NET remote access trojan. The report marked a public disclosure of the malware's capabilities and behavior.
Sources
4 references tracked. Mallory keeps watching after this page renders.
ResokerRAT Hijacks Telegram API to Command Infected Windows PCs
gbhackers.com
Open sourceCrySome RAT: Stealthy .NET Malware Adds AV Killer, HVNC Features
gbhackers.com
Open sourceResoker: A Telegram Based Remote Access Trojan - K7 Labs
labs.k7computing.com
Open sourceCrySome RAT : An Advanced Persistent .NET Remote Access Trojan - CYFIRMA
cyfirma.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
New Remote Access Trojans Expand Stealth and Surveillance Capabilities
Threat researchers reported multiple **remote access trojan (RAT)** developments that emphasize stealth, surveillance, and post-exploitation flexibility. A new **Remcos RAT** variant was observed adding real-time surveillance features (including on-demand webcam streaming) and keystroke transmission, while improving evasion through modular DLL plugins, encrypted C2 with in-memory-only config decryption, and dynamic API resolution; it also attempts to reduce forensic artifacts by deleting collected data (e.g., screenshots, audio, keylogging output, cookies) and removing persistence-related registry entries. Separately, Elastic detailed a **ClickFix** social-engineering campaign that uses compromised legitimate websites as delivery infrastructure to deploy a previously undocumented Windows RAT dubbed **MIMICRAT** (*AstarionRAT*). The intrusion chain includes a multi-stage PowerShell flow with **ETW and AMSI bypass**, a Lua-based shellcode loader, and HTTPS C2 on port `443` using traffic patterns designed to resemble web analytics; the implant supports token impersonation, SOCKS5 tunneling, and a broad command set, with suspected end goals of **ransomware deployment or data theft**. In parallel mobile-focused reporting, Zimperium described **ZeroDayRAT**, a cross-platform Android/iOS spyware-style RAT distributed via social engineering and sideloaded apps, enabling screen capture, keylogging, and credential/file exfiltration, highlighting continued convergence of surveillance and remote-control capabilities across endpoints.
Mar 21, 2026
ResokerRAT Uses Telegram Bot API to Control and Persist on Windows Hosts
K7 Security Labs identified **ResokerRAT**, a Windows remote access trojan that uses Telegram’s Bot API as its command-and-control channel instead of dedicated attacker infrastructure. The malware, delivered as `Resoker.exe`, polls Telegram endpoints such as `getUpdates` with hardcoded bot credentials and chat IDs, allowing commands and stolen data to move over trusted HTTPS traffic to `api.telegram.org`, which can make network-based detection more difficult. Researchers said the malware supports **screen capture, keylogging, file download, privilege escalation, and persistence**, while also attempting to evade analysis and disrupt defenders. ResokerRAT creates a mutex, checks for debuggers, relaunches with administrator rights, blocks tools including Task Manager and Process Hacker, weakens UAC-related settings, and adds itself to the Windows Run registry key for startup execution. Defenders were urged to monitor suspicious outbound Telegram API traffic, Run key persistence, restricted PowerShell activity, and user reports that security or system tools suddenly cannot be opened.
Apr 25, 2026
Multiple Remote Access Trojan Campaigns Target Windows and Android via Phishing, App Stores, and Social Platforms
Threat researchers reported several unrelated **RAT-focused malware campaigns** using different delivery channels and evasion techniques. **DEAD#VAX** was described as a Windows phishing operation that delivers **AsyncRAT** via purchase-order lures, abusing **IPFS-hosted VHD** files disguised as PDFs; the mounted VHD drops a multi-stage chain using **WSF**, heavily obfuscated batch scripts, and PowerShell loaders to decrypt and execute x64 shellcode **in memory** by injecting into trusted Windows processes, minimizing on-disk artifacts. Separately, analysis of **Pulsar RAT** activity described persistence via the per-user Run key (`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`), an obfuscated batch dropper in *AppData*, PowerShell-based staging, and **Donut-generated shellcode** injection into processes such as `explorer.exe`, with anti-analysis features and data theft (credentials, wallets, tokens) exfiltrated via **Discord webhooks**. On Android, two distinct campaigns were highlighted. **Anatsa** banking malware was found distributed through **Google Play** in a trojanized “document reader” app that exceeded **50,000 downloads** before detection; the initial app acts as a loader that retrieves the full banking trojan and supports credential theft and C2-driven actions, with reporting attributing discovery and tracking to **Zscaler ThreatLabz**. **Arsink RAT** was reported spreading primarily via **Telegram/Discord** and file-sharing sites (e.g., MediaFire) through fake “mod/pro” apps impersonating major brands; research attributed to **Zimperium** cited **~45,000** victim IPs across **143 countries**, **1,216** malicious APKs, and **317** Firebase Realtime Database C2 endpoints, with capabilities including SMS/OTP theft, call log and contact harvesting, location tracking, and microphone audio capture.
Mar 21, 2026