ResokerRAT
ResokerRAT is a newly identified Windows remote access trojan (RAT) analyzed by K7 Security Labs. It targets Windows systems and uses Telegram’s Bot API over HTTPS as its command-and-control channel, polling Telegram getUpdates with hardcoded bot token and chat ID values to receive text-based commands and exfiltrate data, which it URL-encodes before transmission. The malware is delivered as an executable named Resoker.exe and is designed to blend malicious traffic into normal Telegram-related communications rather than relying on a traditional dedicated C2 server.
Reported capabilities include remote tracking and control of infected hosts, screenshot capture, keylogging, downloading and deploying additional payloads, persistence, privilege escalation, and interference with user and analyst tools. On execution, it creates the mutex Global\ResokerSystemMutex to ensure a single instance runs, checks for debugging with IsDebuggerPresent, and triggers custom exception handling when analysis is detected. It attempts to relaunch itself with administrator rights via ShellExecuteExA using the runas option, enumerates running processes, and terminates tools such as Taskmgr.exe, Procexp.exe, and ProcessHacker.exe. Reported behavior also includes blocking Task Manager, installing a global keyboard hook with SetWindowsHookExW, and blocking shortcuts including ALT+TAB and CTRL+ALT+DEL.
For persistence, the /startup command adds the malware path to HKCU\Software\Microsoft\Windows\CurrentVersion\Run using the registry value name Resoker. The /screenshot command runs a hidden PowerShell script, creates a Screenshots folder locally, and saves captured screens as PNG files. The /download command retrieves additional files from attacker-controlled URLs through hidden PowerShell. The /uac-min command modifies UAC-related settings, including setting ConsentPromptBehaviorAdmin to 0 and disabling the secure desktop prompt, in order to weaken Windows security alerts while making UAC appear enabled. High-confidence indicators and artifacts mentioned in reporting include the executable name Resoker.exe, mutex Global\ResokerSystemMutex, persistence via the Run key entry Resoker, and suspicious outbound HTTPS traffic to api.telegram.org from unexpected processes.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
3 techniques
Persistence
Privilege Escalation
4 techniques
Privilege Escalation
Aside from supporting commands for visual surveillance, persistence, and further payload retrieval
The /startup command drops the malware’s path into the Windows Run registry key, ensuring it survives reboots.
ResokerRAT also harnesses ShellExecuteEx to restart with elevated privileges
The malware also attempts to restart itself with administrator rights using ShellExecuteExA with the “runas” option... The /uac-min command quietly weakens User Account Control by setting ConsentPromptBehaviorAdmin to 0, removing security prompts without the user’s knowledge.
Stealth
5 techniques
Stealth
When issued, the malware creates a Screenshots folder in its local directory and runs a hidden PowerShell script to capture the full screen, saving it as a PNG file, all without showing any window to the user.
After creating a mutex that ensures lone malware execution in the targeted system
Resoker.exe begins its attack chain immediately upon execution, running a series of pre-checks and evasion routines before making contact with the attacker’s Telegram bot.
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Discovery
3 techniques
Discovery
Collection
2 techniques
Collection
Command and Control
6 techniques
Command and Control
Communication between the malware and the attacker flows entirely through the Telegram Bot API. The malware constructs a URL using a hardcoded bot token and chat ID to continuously poll Telegram for new instructions.
The most distinctive element of ResokerRAT is its use of the Telegram Bot API as a full command-and-control channel. The malware constructs a URL with a hardcoded bot token and chat ID, then polls Telegram’s getUpdates endpoint for new instructions.
ResokerRAT malware ... leverages Telegram Bot API to facilitate remote tracking and control of compromised systems ... obtains simple text-based commands from Telegram
Aside from supporting commands for visual surveillance, persistence, and further payload retrieval
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A newly emergent remote access trojan for Windows that uses the Telegram Bot API for command-and-control, performs anti-debugging checks, attempts privilege escalation, enumerates processes, kills monitoring tools, supports surveillance and persistence, retrieves additional payloads, and modifies UAC-related registry keys to reduce security alerts.
Windows remote access trojan that uses the Telegram Bot API for command-and-control, enabling attackers to receive commands and exfiltrate stolen data while blending into trusted traffic. It supports screen capture, keylogging, privilege escalation, Task Manager blocking, persistence via Run registry key, downloading additional payloads, anti-debugging, process termination of analysis tools, keyboard hooking, and UAC weakening.
A Windows remote access trojan delivered as Resoker.exe that uses the Telegram Bot API instead of a traditional C2 server. It establishes persistence via the Run registry key, attempts privilege escalation, performs anti-debugging checks, kills analysis tools, captures screenshots, downloads additional files, weakens UAC protections, and exfiltrates data through Telegram.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.