Ddos 
The Sysdig Threat Research Team (TRT) has discovered a new cross-platform Remote Access Trojan (RAT) dubbed ZynorRAT, written in Go and capable of targeting both Linux and Windows environments. Still in early development, ZynorRAT combines traditional RAT functionality with a unique command-and-control (C2) infrastructure built around Telegram bots, offering attackers a powerful and user-friendly interface for remote control.
According to Sysdig, “It is a Go-based Remote Access Trojan (RAT) that provides a full suite of custom command and control (C2) capabilities for both Linux and Windows.”
ZynorRAT was first uploaded to VirusTotal on July 8, 2025, initially flagged by only 22 of 66 vendors. Just two days later, the detection score dropped to 16/66, suggesting active efforts by the developer to reduce visibility. As Sysdig notes, “We are confident that the developer is actively working on making ZynorRAT malware less detectable, as seen through multiple uploads to VirusTotal, where the detection count drops.”
Based on Telegram logs, network analysis, and reverse-engineering artifacts, Sysdig assesses that the malware is of Turkish origin and may eventually be sold in underground markets.
Once deployed, ZynorRAT connects to a Telegram bot that acts as the central C2 channel. This allows attackers to issue commands in real time, with victim machines typically responding within the same minute.
Key functions include:
- File exfiltration (/fs_get) – retrieves and exfiltrates requested files.
- Directory enumeration (/fs_list) – lists files and directories.
- System profiling (/metrics) – collects IP, hostname, and user details.
- Process listing & termination (/proc_list, /proc_kill) – enumerates or kills processes.
- Screenshot capture (/capture_display) – leverages open-source libraries to grab desktop images.
- Shell execution fallback – any unrecognized command is executed as bash -c <command>, granting attackers full remote code execution.
Persistence is achieved by exploiting systemd user services, creating disguised entries like system-audio-manager.service to reload automatically on startup.
Though compiled as a Windows executable, the Windows version of ZynorRAT appears incomplete. Sysdig explains: “This version of the malware was not adapted for Windows. Despite being compiled as a Windows executable, it performs Linux-only persistence logic using systemd commands and .config paths.”
This suggests the developer may be experimenting with cross-platform deployment but has yet to tailor the RAT for full Windows functionality.
Sysdig’s investigation revealed the repeated appearance of the name “halil” in decompiled binaries and attacker screenshots. The researchers conclude: “It is plausible to think that the attacker’s name or nickname may be ‘halil,’ and that this RAT is the work (in progress) of a single individual.”
Like other underground projects, such as SilentEye, ZynorRAT may eventually be commercialized and sold to other threat actors. However, Sysdig has found no evidence of public sales so far.
- Telegram bot “lraterrorsbot” serves as the main C2.
- Malware samples are distributed via Dosya.co, a Turkish file-sharing service.
- Testing evidence suggests the developer has run the malware on cloud-hosted instances (Google Cloud, Microsoft Azure, Amazon EC2) as well as Turkish IP addresses plausibly linked to the attacker.
ZynorRAT is a work-in-progress malware family that nonetheless demonstrates advanced capabilities, flexible C2 management via Telegram, and active efforts to evade detection. Though not yet widespread, Sysdig warns that it may soon appear in underground markets once development stabilizes.
Donate