Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/ResoKerRAT Malware Uses Telegram Bot API to Control Windows Systems
Threats

ResoKerRAT Malware Uses Telegram Bot API to Control Windows Systems

Key Takeaways A new Remote Access Trojan (RAT), named ResokerRAT, has been discovered targeting Windows operating systems. ResokerRAT uniquely leverages the Telegram Bot API for its...

Jennifer sherman
Jennifer sherman
April 6, 2026 4 Min Read
32 0

Key Takeaways

  • A new Remote Access Trojan (RAT), named ResokerRAT, has been discovered targeting Windows operating systems.
  • ResokerRAT uniquely leverages the Telegram Bot API for its command-and-control (C2) communications, making detection by traditional security tools challenging.
  • The malware possesses extensive capabilities, including screen capture, keylogging, privilege escalation, and the ability to download further malicious payloads.
  • K7 Security Labs researchers identified the threat and published a detailed analysis on March 30, 2026.

ResokerRAT: A Covert Threat Using Telegram for C2 Operations on Windows Systems

A sophisticated new Remote Access Trojan (RAT), dubbed ResokerRAT, has emerged, specifically designed to compromise Windows systems. This malware distinguishes itself by exploiting Telegram’s widely used Bot API for its command-and-control (C2) infrastructure and for exfiltrating stolen data, presenting a significant challenge for conventional cybersecurity defenses.

Table Of Content

  • Key Takeaways
  • ResokerRAT: A Covert Threat Using Telegram for C2 Operations on Windows Systems
  • Advanced Capabilities and Evasion Techniques
  • Command-and-Control via Telegram
  • What You Should Do

Unlike many traditional malware variants that rely on dedicated C2 servers, ResokerRAT routes all its communications through the trusted Telegram messaging platform. This method allows the threat to blend seamlessly with legitimate network traffic, significantly complicating its detection and blocking by security tools. This approach provides attackers with a highly obfuscated communication channel that appears as routine web activity.

Advanced Capabilities and Evasion Techniques

ResokerRAT is equipped with a comprehensive suite of malicious functionalities. These include the ability to capture screenshots, log keystrokes, escalate privileges on an infected machine, disable Task Manager, and download additional harmful payloads. Once installed, the malware operates stealthily in the background, maintaining an encrypted HTTPS connection to Telegram’s API without providing any visible indicators to the victim.

The use of Telegram is particularly effective for evading detection, as corporate firewalls and network monitoring systems typically trust connections to Telegram API endpoints. This allows the malware to persist undetected for extended periods.

Analysts at K7 Security Labs were instrumental in identifying and documenting this malware. Researcher Priyadharshini released a comprehensive technical report detailing their findings on March 30, 2026. Their investigation revealed that the malware executable, named Resoker.exe, initiates its attack sequence immediately upon execution. This involves a series of initial checks and evasion routines before it establishes contact with the attacker’s Telegram bot.

The K7 Security Labs team observed that ResokerRAT leverages a combination of Windows API calls and hidden PowerShell commands to execute its tasks without alerting the user. To prevent multiple instances from running, Resoker.exe creates a mutex named “GlobalResokerSystemMutex.”

Furthermore, the malware incorporates anti-analysis features. It employs the IsDebuggerPresent API to detect if a debugger or analysis tool is attached. If detected, it triggers custom exception handling to disrupt forensic examination. ResokerRAT also attempts to restart itself with administrator privileges using ShellExecuteExA with the “runas” option, granting it full control over the compromised system.

To further impede security researchers, the malware actively scans for and terminates well-known analysis tools such as Taskmgr.exe, Procexp.exe, and ProcessHacker.exe. It also installs a global keyboard hook via SetWindowsHookExW, which blocks common keyboard shortcuts like ALT+TAB and CTRL+ALT+DEL, effectively trapping the user within the infected session and preventing normal system interaction.

Command-and-Control via Telegram

The most defining characteristic of ResokerRAT is its innovative use of the Telegram Bot API for its entire command-and-control channel. The malware constructs a URL using a hardcoded bot token and chat ID, then repeatedly polls Telegram’s getUpdates endpoint for new instructions from the attackers. Network capture analysis confirms that this traffic is virtually indistinguishable from legitimate Telegram usage, making it extremely difficult to flag.

Through this covert channel, attackers can issue a variety of commands. The /screenshot command executes a hidden PowerShell script to silently capture the screen and save it as a PNG file. The /startup command ensures persistence by adding the malware’s path to the Windows Run registry key, allowing it to survive system reboots. The /download command retrieves additional files from attacker-controlled URLs, again via a hidden PowerShell process. Moreover, the /uac-min command surreptitiously weakens User Account Control by setting ConsentPromptBehaviorAdmin to 0, thereby eliminating security prompts without the user’s knowledge.

All data transmitted by the malware is URL-encoded before delivery, and ResokerRAT maintains a local log of its activities on the infected machine.

What You Should Do

  • Exercise Caution with Downloads: Avoid downloading executable files from untrusted links or unknown sources.
  • Maintain System Updates: Ensure Windows operating systems and all security software are kept up-to-date with the latest patches to mitigate known vulnerabilities.
  • Monitor Network Traffic: Network administrators should actively monitor outbound connections to Telegram API endpoints for any unusual or unexpected patterns.
  • Implement Endpoint Protection: Utilize robust endpoint detection and response (EDR) solutions to identify and prevent such threats.
  • Strengthen PowerShell Policies: Restrict PowerShell execution policies to prevent unauthorized script execution.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwarePatchSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

METATRON: Open-Source AI Pen-Testing Assistant for Linux LLM Analysis

Next Post

Critical Claude Flaw Bypasses Security Rules

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us