ResoKerRAT Malware Uses Telegram Bot API to Control Windows Systems
Key Takeaways A new Remote Access Trojan (RAT), named ResokerRAT, has been discovered targeting Windows operating systems. ResokerRAT uniquely leverages the Telegram Bot API for its...
Key Takeaways
- A new Remote Access Trojan (RAT), named ResokerRAT, has been discovered targeting Windows operating systems.
- ResokerRAT uniquely leverages the Telegram Bot API for its command-and-control (C2) communications, making detection by traditional security tools challenging.
- The malware possesses extensive capabilities, including screen capture, keylogging, privilege escalation, and the ability to download further malicious payloads.
- K7 Security Labs researchers identified the threat and published a detailed analysis on March 30, 2026.
ResokerRAT: A Covert Threat Using Telegram for C2 Operations on Windows Systems
A sophisticated new Remote Access Trojan (RAT), dubbed ResokerRAT, has emerged, specifically designed to compromise Windows systems. This malware distinguishes itself by exploiting Telegram’s widely used Bot API for its command-and-control (C2) infrastructure and for exfiltrating stolen data, presenting a significant challenge for conventional cybersecurity defenses.
Table Of Content
Unlike many traditional malware variants that rely on dedicated C2 servers, ResokerRAT routes all its communications through the trusted Telegram messaging platform. This method allows the threat to blend seamlessly with legitimate network traffic, significantly complicating its detection and blocking by security tools. This approach provides attackers with a highly obfuscated communication channel that appears as routine web activity.
Advanced Capabilities and Evasion Techniques
ResokerRAT is equipped with a comprehensive suite of malicious functionalities. These include the ability to capture screenshots, log keystrokes, escalate privileges on an infected machine, disable Task Manager, and download additional harmful payloads. Once installed, the malware operates stealthily in the background, maintaining an encrypted HTTPS connection to Telegram’s API without providing any visible indicators to the victim.
The use of Telegram is particularly effective for evading detection, as corporate firewalls and network monitoring systems typically trust connections to Telegram API endpoints. This allows the malware to persist undetected for extended periods.
Analysts at K7 Security Labs were instrumental in identifying and documenting this malware. Researcher Priyadharshini released a comprehensive technical report detailing their findings on March 30, 2026. Their investigation revealed that the malware executable, named Resoker.exe, initiates its attack sequence immediately upon execution. This involves a series of initial checks and evasion routines before it establishes contact with the attacker’s Telegram bot.
The K7 Security Labs team observed that ResokerRAT leverages a combination of Windows API calls and hidden PowerShell commands to execute its tasks without alerting the user. To prevent multiple instances from running, Resoker.exe creates a mutex named “GlobalResokerSystemMutex.”
Furthermore, the malware incorporates anti-analysis features. It employs the IsDebuggerPresent API to detect if a debugger or analysis tool is attached. If detected, it triggers custom exception handling to disrupt forensic examination. ResokerRAT also attempts to restart itself with administrator privileges using ShellExecuteExA with the “runas” option, granting it full control over the compromised system.
To further impede security researchers, the malware actively scans for and terminates well-known analysis tools such as Taskmgr.exe, Procexp.exe, and ProcessHacker.exe. It also installs a global keyboard hook via SetWindowsHookExW, which blocks common keyboard shortcuts like ALT+TAB and CTRL+ALT+DEL, effectively trapping the user within the infected session and preventing normal system interaction.
Command-and-Control via Telegram
The most defining characteristic of ResokerRAT is its innovative use of the Telegram Bot API for its entire command-and-control channel. The malware constructs a URL using a hardcoded bot token and chat ID, then repeatedly polls Telegram’s getUpdates endpoint for new instructions from the attackers. Network capture analysis confirms that this traffic is virtually indistinguishable from legitimate Telegram usage, making it extremely difficult to flag.
Through this covert channel, attackers can issue a variety of commands. The /screenshot command executes a hidden PowerShell script to silently capture the screen and save it as a PNG file. The /startup command ensures persistence by adding the malware’s path to the Windows Run registry key, allowing it to survive system reboots. The /download command retrieves additional files from attacker-controlled URLs, again via a hidden PowerShell process. Moreover, the /uac-min command surreptitiously weakens User Account Control by setting ConsentPromptBehaviorAdmin to 0, thereby eliminating security prompts without the user’s knowledge.
All data transmitted by the malware is URL-encoded before delivery, and ResokerRAT maintains a local log of its activities on the infected machine.
What You Should Do
- Exercise Caution with Downloads: Avoid downloading executable files from untrusted links or unknown sources.
- Maintain System Updates: Ensure Windows operating systems and all security software are kept up-to-date with the latest patches to mitigate known vulnerabilities.
- Monitor Network Traffic: Network administrators should actively monitor outbound connections to Telegram API endpoints for any unusual or unexpected patterns.
- Implement Endpoint Protection: Utilize robust endpoint detection and response (EDR) solutions to identify and prevent such threats.
- Strengthen PowerShell Policies: Restrict PowerShell execution policies to prevent unauthorized script execution.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.