A sophisticated new Remote Access Trojan (RAT) known as ResokerRAT is actively targeting Windows systems by leveraging the widely adopted Telegram Bot API for command and control. This innovative approach allows attackers to remotely manage infected machines and exfiltrate sensitive data through a communication channel that is often overlooked by traditional security measures. The discovery highlights a growing trend of malware operators exploiting legitimate, encrypted platforms to mask their malicious activities, presenting a significant challenge for cybersecurity professionals.
ResokerRAT is equipped with a comprehensive suite of destructive capabilities, including the ability to capture screenshots, log keystrokes, escalate privileges, disable the Task Manager, and download additional malware payloads. Once a system is compromised, the stealthy malware operates in the background, establishing an encrypted connection to Telegram’s API. This method of communication is particularly insidious because it blends seamlessly with legitimate user traffic, making it exceedingly difficult for network security tools and firewalls, which typically trust Telegram’s infrastructure, to detect and block.
ResokerRAT’s Stealthy Tactics and Evasion Techniques
Security researchers at K7 Security Labs first identified and documented ResokerRAT. Their in-depth analysis, detailed in a report published on March 30, 2026, revealed that the malware executable, identified as Resoker.exe, initiates its attack sequence immediately upon execution. It systematically performs pre-infection checks and employs various evasion routines before establishing contact with the attacker’s Telegram bot. The malware strategically combines Windows API calls with hidden PowerShell commands to execute its operations discreetly, minimizing the chances of alerting the end-user.
To prevent multiple instances from running simultaneously, Resoker.exe creates a unique mutex named “GlobalResokerSystemMutex.” Furthermore, it actively checks for the presence of debugging or analysis tools, utilizing the IsDebuggerPresent API. Should it detect such monitoring, the malware triggers custom exception handling designed to disrupt the inspection process, further complicating analysis efforts. Researchers also observed the malware attempting to restart itself with administrator privileges using the “runas” option via ShellExecuteExA. This elevated access grants the Trojan extensive control over the infected system, allowing it to bypass many security restrictions.
ResokerRAT also employs aggressive anti-analysis measures by scanning for and terminating processes associated with common security and analysis tools, such as Taskmgr.exe, Procexp.exe, and ProcessHacker.exe. To further isolate the infected user and hinder their ability to investigate or terminate malicious processes, the malware installs a global keyboard hook using SetWindowsHookExW. This hook blocks critical keyboard shortcuts like ALT+TAB and CTRL+ALT+DEL, effectively trapping the user within the compromised session and preventing normal system interaction.
Command-and-Control via Telegram
The most notable characteristic of ResokerRAT is its ingenious reliance on the Telegram Bot API as its command-and-control (C2) infrastructure. The malware constructs a specific URL incorporating a hardcoded bot token and chat ID. It then periodically polls Telegram’s getUpdates endpoint to receive new instructions from the threat actors. Network captures have confirmed that this C2 traffic is virtually indistinguishable from ordinary Telegram messaging, making it highly effective at bypassing network monitoring and intrusion detection systems.
Through this Telegram C2 channel, attackers can issue a variety of commands to manipulate the infected system. For instance, the /screenshot command instructs the malware to execute a hidden PowerShell script that silently captures the user’s screen and saves it as a PNG file. The /startup command ensures the malware’s persistence by adding its execution path to the Windows Run registry key, guaranteeing it will launch automatically after a system reboot. The /download command enables attackers to fetch and execute additional malicious files from URLs controlled by them, again utilizing a hidden PowerShell process. Additionally, the /uac-min command is designed to weaken User Account Control by setting ConsentPromptBehaviorAdmin to 0, which effectively bypasses user consent prompts for administrative tasks without the user’s knowledge, further compromising system security.
All data transmitted by ResokerRAT is URL-encoded before being sent over the Telegram API. The malware also maintains a local log of its own activities, providing a forensic trail for attackers to review. Users and organizations are advised to exercise extreme caution when downloading executable files from untrusted sources or clicking on suspicious links. Keeping Windows operating systems and all security software up-to-date is paramount, as software patches systematically address vulnerabilities that malware like ResokerRAT exploits. Network administrators should diligently monitor outbound connections to Telegram API endpoints, looking for any unusual or unexpected communication patterns that deviate from normal usage.
Implementing more stringent PowerShell execution policies and deploying advanced endpoint detection and response (EDR) tools can significantly enhance an organization’s ability to detect and neutralize threats like ResokerRAT before substantial damage occurs. The ongoing evolution of malware tactics, such as the use of encrypted messaging platforms for C2, underscores the need for continuous adaptation and vigilance in the cybersecurity landscape. The next steps for the cybersecurity community will involve developing more robust detection mechanisms for encrypted C2 traffic and educating users about the risks associated with seemingly innocuous platforms being repurposed for malicious intent.