Telegram-Based ResokerRAT Threatens Windows Security

Telegram-Based ResokerRAT Threatens Windows Security

Posted on By CWS

A newly discovered remote access trojan, ResokerRAT, leverages Telegram’s bot API for covertly controlling infected Windows computers. This malware differentiates itself by circumventing traditional command-and-control servers, opting instead for a trusted messaging platform to transmit commands and retrieve stolen information. This tactic complicates detection efforts for conventional network security solutions.

Unconventional Communication Methods

Unlike typical malware, ResokerRAT exploits Telegram to establish its communication channel. By using the Telegram Bot API, the malware receives instructions and sends data back to its operators, making it challenging for security systems to recognize and block its activities. The trojan is delivered through an executable file named Resoker.exe, which, upon execution, initiates background operations such as establishing persistence and requesting elevated privileges.

Once active, ResokerRAT can perform a range of harmful tasks, including capturing screenshots, downloading further payloads, and disabling security notifications. Analysts from K7 Security Labs have identified its initial action as creating a mutex, ‘GlobalResokerSystemMutex,’ to ensure only one instance operates simultaneously. Additionally, the malware checks for debugger presence, interrupting analysis if detected.

Technical Tactics and Persistence

To extend its infiltration, ResokerRAT attempts to relaunch with administrative rights using the ‘runas’ option. If successful, it closes the original instance and resumes operation under elevated privileges. In failure cases, it reports errors back via the Telegram bot. The malware also terminates processes of common analysis tools, obstructing forensic efforts.

ResokerRAT’s persistence is achieved by embedding itself into the Windows registry under the ‘Run’ key, ensuring execution at startup. This method allows it to remain operational even after system reboots, with the malware confirming its startup configuration to the attacker through Telegram.

Security Recommendations and Precautions

Security experts advise monitoring for unauthorized registry entries and suspicious HTTPS traffic to ‘api.telegram.org’ as preventive measures against ResokerRAT. Ensuring systems are current with patches, avoiding untrusted executable files, and being vigilant for sudden Task Manager access issues are critical in mitigating infection risks.

In summary, ResokerRAT exemplifies a sophisticated cyber threat employing unconventional communication channels to evade detection. Continuous vigilance and proactive security practices are essential to safeguard systems against such evolving threats.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

LummaStealer Technical Details Uncovered Using ML-Based Detection Approach LummaStealer Technical Details Uncovered Using ML-Based Detection Approach Cyber Security News
Nevada IT Systems Hit by Cyberattack Nevada IT Systems Hit by Cyberattack Cyber Security News
Researchers Hack Google’s Gemini CLI Through Prompt Injections in GitHub Actions Researchers Hack Google’s Gemini CLI Through Prompt Injections in GitHub Actions Cyber Security News
Microsoft Confirms August 2025 Update Causes Severe Lag in Windows 11 24H2, Windows 10 Versions Microsoft Confirms August 2025 Update Causes Severe Lag in Windows 11 24H2, Windows 10 Versions Cyber Security News
DPRK IT Workers Using Code-Sharing Platforms to Secure New Remote Jobs DPRK IT Workers Using Code-Sharing Platforms to Secure New Remote Jobs Cyber Security News
Palo Alto Networks PAN-OS Vulnerability Enables Admin to Execute Root User Actions Palo Alto Networks PAN-OS Vulnerability Enables Admin to Execute Root User Actions Cyber Security News