A newly discovered Windows malware, known as ResokerRAT, has emerged as a sophisticated threat by leveraging Telegram’s Bot API for its command-and-control (C2) operations. This innovative approach allows the malware to remotely monitor and manipulate infected systems without the need for a conventional server controlled by the attacker.
By integrating seamlessly with legitimate encrypted Telegram traffic, ResokerRAT cleverly obscures its C2 communications, making it increasingly challenging for network defenses to differentiate between malicious activity and standard user behavior.
Upon execution, ResokerRAT initiates a mutex named “GlobalResokerSystemMutex” through the CreateMutexW API, ensuring that only one instance of the malware can run on the system at any given time. It then employs the IsDebuggerPresent function to detect any attached debuggers; if any are found, it activates custom exception handling to thwart analysis efforts.
In a bid to enhance its operational capabilities, the malware attempts to relaunch itself with elevated privileges using ShellExecuteEx with the “runas” option. Should this elevation fail, it logs the error and communicates the failure back to its operator via the C2 channel.
ResokerRAT further complicates analysis by enumerating running processes through Process32NextW, terminating known monitoring tools such as Taskmgr.exe, Procexp.exe, and ProcessHacker.exe using OpenProcess and TerminateProcess commands. This strategic maneuver effectively hinders analysts from detecting its presence.
Additionally, the malware installs a global keyboard hook using SetWindowsHookExW with the WHKEYBOARDLL flag. This is not for keylogging purposes but to obstruct specific defensive key combinations, including ALT+TAB, ALT+F4, CTRL+SHIFT+ESC, CTRL+ALT+DEL, and the Windows key, thereby preventing users and analysts from easily switching tasks or accessing Task Manager.
ResokerRAT Hijacks Telegram API
ResokerRAT operates through a series of simple text-based commands sent via Telegram, each corresponding to a specific function on the compromised host. For instance, it checks running processes using Process32NextW and identifies the names of any monitoring or analysis tools. If these tools are detected, the malware opens the process with OpenProcess and terminates it using TerminateProcess to evade scrutiny.
The /screenshot command generates a “Screenshots” folder adjacent to the malware, launching a concealed PowerShell routine that captures the full screen and saves the output as PNG files for visual surveillance. Meanwhile, the /blocktaskmgr command modifies the DisableTaskMgr registry value to 1, effectively preventing Task Manager from opening, while /unblocktaskmgr resets it to restore normal functionality and minimize user suspicion.
Persistence is maintained through the /startup command, which writes the malware path under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a “Resoker” value, confirming its addition to startup back to the attacker. Furthermore, the malware weakens Windows security prompts using the /uac-min command by altering several UAC-related registry keys, suppressing elevation prompts while keeping UAC seemingly enabled to avoid triggering a reboot.
The /uac-max command can reverse these changes, restoring default UAC behavior while maintaining the appearance of UAC being active. Through the /download command, ResokerRAT can retrieve additional payloads from attacker-specified URLs into a local “downloads” folder, utilizing a hidden PowerShell downloader to verify and report on download success, thus providing operators with a flexible means to deploy secondary tools on compromised systems.
Telegram-Based C2 and MITRE Mapping
For its command-and-control operations, ResokerRAT constructs URLs that embed a hardcoded Telegram bot token and chat ID, polling the Telegram Bot API over HTTPS for new commands while exfiltrating results and logs back through the same channel. Prior to transmission, the malware URL-encodes collected data to ensure reliable delivery across the encrypted application-layer protocol.
Researchers have confirmed the presence of this Telegram traffic in packet captures, validating the active bot-based command retrieval and response mechanism. The malware’s behavior aligns with various MITRE ATT&CK techniques, including PowerShell execution for screenshots and downloads, Run-key persistence, access token manipulation, indirect command execution via hidden PowerShell, and impairing defenses by disabling Task Manager.
Security teams are advised to monitor for unusual Telegram Bot API traffic from endpoints, scrutinize startup and UAC-related registry keys, and implement robust, regularly updated endpoint protection to detect and mitigate ResokerRAT’s components and PowerShell activity chains.
IOCs
| Hash | File Name | Detection name |
| 7a1d6c969e34ea61b2ea7a714a56d143 | Resoker.exe | Trojan (0001140e1) |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
