ResokerRAT Exploits Telegram API for Covert Control on Windows

A new cyber threat named ResokerRAT is targeting Windows systems, utilizing Telegram’s Bot API to covertly manage infected devices. This Remote Access Trojan (RAT) bypasses traditional detection methods by routing communication through a trusted messaging service, complicating detection and mitigation efforts.

Innovative Malware Communication Strategies

ResokerRAT distinguishes itself by leveraging a trusted platform, Telegram, for its command-and-control operations. Unlike typical malware that relies on custom servers, this approach allows it to blend with normal web traffic, avoiding detection by security tools. This strategic choice makes it a formidable threat as it remains hidden within legitimate network traffic.

The Trojan is equipped with numerous malicious features such as screen capturing, keylogging, and the ability to escalate privileges. It also disables Task Manager and downloads additional harmful software, operating silently on the compromised system.

Technical Insights into ResokerRAT

Research conducted by K7 Security Labs highlighted the technical sophistication of ResokerRAT. Detailed in a report published on March 30, 2026, the malware begins its operations as soon as its executable, Resoker.exe, is launched. It performs a series of checks and employs evasion tactics before engaging with the attacker’s Telegram bot.

The malware’s behavior includes using Windows API calls and PowerShell commands to perform actions discreetly. It ensures only a single instance runs by creating a specific mutex and disrupts analysis by detecting debuggers, using custom exception handling to evade them.

ResokerRAT’s Stealth Tactics

ResokerRAT seeks administrative privileges, using the ShellExecuteExA function with the ‘runas’ option to gain full control over the infected system. It actively scans for and terminates analysis tools like Task Manager to prevent detection.

Furthermore, it implements a global keyboard hook, effectively disabling common shortcuts and trapping users within the infected session. This malware uses Telegram’s Bot API for its command-and-control channel, constructing URLs with embedded bot tokens and chat IDs. This traffic is camouflaged as regular Telegram communication, as observed in network analyses.

ResokerRAT’s command abilities include capturing screenshots, modifying startup programs to ensure persistence, downloading files, and altering User Account Control settings to reduce security prompts.

Preventive Measures and Security Recommendations

To protect against threats like ResokerRAT, users should avoid downloading executables from untrusted sources. Organizations must ensure their Windows systems and security software are up to date to patch vulnerabilities that malware exploits. Network administrators should closely monitor connections to Telegram API endpoints for unusual activity.

Implementing restrictive PowerShell execution policies and deploying endpoint detection tools are crucial steps in identifying and halting such threats before they inflict significant harm.

Stay informed on cybersecurity developments by following updates on Google News, LinkedIn, and other platforms.