Ddos 
A new and sophisticated threat has emerged in the digital landscape, turning a popular messaging app into a weapon for remote surveillance. Researchers at K7 Security Labs have unmasked ResokerRAT, a Remote Access Trojan (RAT) that uniquely leverages the Telegram bot API to “monitor and control an infected system” from afar.
By eschewing traditional command-and-control (C2) servers in favor of Telegram’s legitimate infrastructure, ResokerRAT can “covertly send data back to the attacker” while blending in with normal network traffic. A recent scan showed that 46 out of 73 security vendors already flag the malware as malicious.
ResokerRAT is designed to be both stubborn and invisible. Upon execution, it immediately checks for its own presence by creating a mutex named “Global\ResokerSystemMutex” to ensure “only one instance of the malware runs on the system”.
The malware then engages in a high-stakes game of hide-and-seek with security professionals:
- Anti-Debugging: It uses the IsDebuggerPresent API to detect if it is being analyzed; if caught, it “triggers a custom exception handling logic” to thwart researchers.
- Privilege Escalation: It aggressively “attempts to relaunch the program with administrator privileges” using the “runas” command.
- Process Termination: To prevent its own discovery, it actively scans for and kills security tools like Taskmgr.exe, Procexp.exe, and ProcessHacker.exe.
Once ResokerRAT gains a foothold, it grants the attacker an alarming level of control. It installs a global keyboard hook that doesn’t just log keystrokesβit actively sabotages the user’s ability to fight back.Instead of simple logging, the malware “monitors and blocks specific key combinations” such as ALT + F4, CTRL + SHIFT + ESC, and CTRL+ALT+DEL. By neutralizing these commands, the attacker ensures the victim cannot easily close the malware or open the Task Manager to investigate.
The Trojan supports a suite of remote commands sent directly through Telegram:
| Command | Action | Impact |
/screenshot |
Captures the victim’s screen via a hidden PowerShell command. |
Visual monitoring of all user activity. |
/block_taskmgr |
Modifies the registry value |
Prevents the user from terminating the malicious process. |
/startup |
Adds its path to the Windows Run registry under “Resoker”. |
Establishes permanent persistence on the system. |
/download |
Fetches additional payloads from a specified URL. |
Allows the attacker to deploy even more dangerous malware. |
To further weaken the system’s defenses, the /uac-min command “quietly changes a few important registry settings” to disable User Access Control (UAC) prompts and secure desktop features. Crucially, it leaves UAC appearing enabled so that the “fully disabling UAC would require a reboot and might raise suspicion”.
ResokerRAT represents a growing trend of malware utilizing trusted platforms like Telegram to evade detection. By “receiving commands such as capturing screenshots, downloading additional payloads, and manipulating system settings,” it provides attackers with a comprehensive toolkit for corporate espionage and data theft. As the malware continues to evolve, K7 Security Labs urges users to maintain robust, updated security software to catch these stealthy intruders before they can call home.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
