Malware News ResokerRAT is a new Remote Access Trojan (RAT) that is controlled through Telegram.

Khushal

Khushal

Level 13
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
602
3,617
1,169
Content source
https://labs.k7computing.com/index.php/resoker-a-telegram-based-remote-access-trojan/
ResokerRAT is a Telegram-controlled remote access Trojan that persists, escalates privileges, evades detection, blocks Task Manager, captures screenshots, downloads payloads, and commands the infected host via Telegram bot API.
Click to expand...
labs.k7computing.com

Resoker: A Telegram Based Remote Access Trojan - K7 Labs

ResokerRAT is a new Remote Access Trojan (RAT) that is controlled through Telegram. It allows an attacker present in a […]
labs.k7computing.com labs.k7computing.com
 
  • Like
Reactions: Halp2001, lokamoka820 and Captain Awesome
Khushal said:
labs.k7computing.com

Resoker: A Telegram Based Remote Access Trojan - K7 Labs

ResokerRAT is a new Remote Access Trojan (RAT) that is controlled through Telegram. It allows an attacker present in a […]
labs.k7computing.com labs.k7computing.com
Click to expand...
Thanks for sharing this analysis.

If the K7 write-up is accurate, this is a good example of why Telegram-based RATs are taken seriously.

Why this matters
  • Using Telegram for command-and-control can help attackers blend into normal network traffic.
  • Features like persistence, privilege escalation, screenshot capture, payload download, and Task Manager blocking are consistent with a full-featured RAT.
  • Abuse of legitimate cloud or messaging platforms is not new, but it can make detection and response more difficult in some environments.

Practical takeaway
For defenders, the important point is not just the malware family name, but the behavior:
  • Unexpected outbound connections to Telegram infrastructure
  • Unauthorized persistence mechanisms
  • Task Manager or security tool interference
  • Suspicious child-process activity and follow-on payload downloads
  • Screen capture or surveillance-related behavior

Caution
I cannot independently verify every claim in the blog post from the excerpt alone, so it is best treated as a vendor research report unless confirmed by additional analysis or detections from other sources.

Recommended next steps
  • Check whether other reputable vendors or sandbox reports have published matching indicators or behavior.
  • Review the article for IOCs such as file hashes, domains, mutexes, persistence keys, or process names.
  • If anyone suspects exposure, upload the sample hash or file to VirusTotal and scan the system with a reputable antivirus product.
  • For a potentially infected machine, isolate it from the network first, then collect logs and wait for deeper malware analysis before making high-risk changes.

The key takeaway is that Telegram-backed malware is not notable because of Telegram itself, but because it gives attackers a convenient and resilient control channel.
 
  • Like
Reactions: Halp2001
Executive Summary
ResokerRAT is a Windows-based Remote Access Trojan (RAT) that abuses the Telegram Bot API for command and control (C2).

Telemetry
Confirms its post-exploitation behaviors, including registry modification, process termination, and PowerShell utilization, the initial delivery vector is undocumented.

Assessment
Suggests the threat actor prioritizes stealth and operational security by leveraging a legitimate encrypted service (Telegram) to bypass standard network filtering.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1059.001
(Command and Scripting Interpreter: PowerShell)

T1547.001
(Boot or Logon Autostart Execution: Registry Run Keys)

T1134
(Access Token Manipulation)

T1562.001
(Impair Defenses: Disable or Modify Tools)

T1056.001
(Input Capture: Keylogging)

T1071.001
(Application Layer Protocol: Web Protocols)

CVE Profile
NVD Score: N/A (Custom Malware)
CISA KEV Status: Inactive

Telemetry

Hashes
"7a1d6c969e34ea61b2ea7a714a56d143"

IPs
149.154.166.110

Registry Keys
HKCU\Software\Microsoft\Windows\CurrentVersion\Run (Value: "Resoker"), DisableTaskMgr, ConsentPromptBehaviorAdmin, PromptOnSecureDesktop.

Mutex
"Global\ResokerSystemMutex".

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Authorize immediate threat hunting operations across all Windows endpoints for the identified ResokerRAT telemetry.

DETECT (DE) – Monitoring & Analysis

Command
Implement SIEM alerts for CreateMutexW calls generating the "Global\ResokerSystemMutex" object.

Command
Monitor EDR telemetry for ShellExecuteExA utilizing the "runas" verb on suspicious or unsigned binaries.

Command
Hunt for hidden PowerShell executions (-WindowStyle Hidden) executing System.Windows.Forms and System.Drawing assemblies, which indicates screenshot activity.

RESPOND (RS) – Mitigation & Containment

Command
Isolate endpoints communicating with api.telegram.org over non-standard or unexpected background processes.

Command
Terminate processes holding the identified mutex and remove the "Resoker" value from HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

RECOVER (RC) – Restoration & Trust

Command
Restore registry values DisableTaskMgr (Default: 0), ConsentPromptBehaviorAdmin (Default: 2), and PromptOnSecureDesktop (Default: 1) to their secure baseline states.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Implement AppLocker or Windows Defender Application Control (WDAC) to restrict unauthorized binary execution and PowerShell abuse.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords/MFA using a known clean device (e.g., phone on 5G).

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and the Registry (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) for any entry named "Resoker".

Command
If the Task Manager cannot be opened, boot into Safe Mode and run a full system scan with a reputable antivirus solution to automatically repair the modified DisableTaskMgr key.

Hardening & References

Baseline
CIS Benchmarks for Windows 10/11 (Specifically, enforce strict UAC settings and restrict standard user privileges).

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Labs K7

Malware.news

NIST Cybersecurity Framework (CSF) 2.0

NIST Special Publication 800-61 Revision 3

MITRE ATT&CK® Framework (Enterprise)

CISA Known Exploited Vulnerabilities
Click to expand...
 
  • Like
Reactions: Halp2001, harlan4096 and Captain Awesome

You may also like...