A new Remote Access Trojan (RAT) called ResokerRAT has been found targeting Windows systems by abusing Telegram\u2019s widely used Bot API to receive commands and send stolen data back to attackers. <\/p>\n
Unlike traditional malware that relies on custom command-and-control servers, this threat routes all communications through a trusted messaging platform, making it far harder for security tools to detect and block. <\/p>\n
The approach gives attackers a well-disguised line of communication that blends into everyday web traffic.<\/a><\/p>\n ResokerRAT carries a wide range of harmful capabilities, including screen capture, keylogging, privilege escalation, Task Manager blocking, and downloading additional malicious payloads onto the infected machine. <\/p>\n Once installed, the malware operates silently in the background, communicating through an encrypted HTTPS connection to Telegram\u2019s API without showing any visible signs to the victim. <\/p>\n Since the connections to Telegram are generally trusted by corporate firewalls and network monitoring filters, this method of delivering commands is particularly effective at staying hidden for extended periods.<\/a><\/p>\n Analysts at K7 Security Labs identified and documented this malware<\/a>, with researcher Priyadharshini publishing a detailed technical report on March 30, 2026. <\/p>\n Their investigation found that the malware executable, Resoker.exe, begins its attack chain immediately upon execution, running a series of pre-checks and evasion routines before making contact with the attacker\u2019s Telegram bot.<\/p>\n The team noted that the malware combines Windows API calls with hidden PowerShell commands<\/a> to carry out its tasks without drawing the user\u2019s attention.<\/a><\/p>\n Once running, Resoker.exe creates a mutex named \u201cGlobalResokerSystemMutex\u201d to ensure only one instance of the malware runs at a time.<\/p>\n It then uses the IsDebuggerPresent API to check whether a debugger or analysis tool is currently attached, and if one is found, it triggers custom exception handling to disrupt the inspection. <\/p>\n The malware also attempts to restart itself with administrator rights using ShellExecuteExA with the \u201crunas\u201d option\u00a0(Figure 4: Administrator Privilege Request)<\/em>, giving it complete control over the infected system.<\/p>\n To keep security researchers at bay, the malware actively scans running processes and terminates well-known analysis tools<\/a> such as Taskmgr.exe, Procexp.exe, and ProcessHacker.exe.<\/p>\n It also installs a global keyboard hook via SetWindowsHookExW, blocking common keyboard shortcuts such as ALT+TAB and CTRL+ALT+DEL, effectively trapping the user inside the infected session and preventing normal system interaction.<\/a><\/p>\n The most distinctive element of ResokerRAT is its use of the Telegram Bot API as a full command-and-control channel. <\/p>\n The malware constructs a URL with a hardcoded bot token and chat ID, then polls Telegram\u2019s getUpdates endpoint for new instructions. <\/p>\n This traffic is nearly indistinguishable from regular Telegram use, as confirmed by network capture analysis.<\/p>\n From this channel, attackers can issue a range of commands. The \/screenshot command runs a hidden PowerShell script to silently capture the screen and save it as a PNG file. The \/startup command drops the malware\u2019s path into the Windows Run registry key, ensuring it survives reboots. <\/p>\n The \/download command fetches additional files from attacker-controlled URLs via a hidden PowerShell process. <\/p>\n The \/uac-min command quietly weakens User Account Control by setting ConsentPromptBehaviorAdmin to 0, removing security prompts without the user\u2019s knowledge.<\/p>\n All transmitted data is URL-encoded before delivery, and the malware keeps a local log of its own activity.<\/a><\/p>\n Users and organizations should avoid downloading executables from untrusted links or unknown sources. Keeping Windows and all security software<\/a> up to date is critical, as patches help close the gaps that malware exploits. <\/p>\n Network administrators should monitor outbound connections to Telegram API endpoints for unusual or unexpected patterns. <\/p>\n Restricting PowerShell execution policies and enabling endpoint detection<\/a> tools can help identify and stop this type of threat before it causes serious damage.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New ResokerRAT Uses Telegram Bot API to Control Infected Windows Systems<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Resoker.exe](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhp5HqblPX1I0d7HagYvGZaEuLqmR_ipbjGbx3lRT52llp4zRsBvIh0_MdaAnQW0H-8wbM9Jca04OxTsKuU52bR4Dbo2yiztjKEbu5zJ2WgCrvQXogyouNUFTsRvE5yQQJsrZCUBzmeZaPCO0IarsVP0ZQQoqZDWX_u7khnm_VZtCjxLewtrLchYTriJ3A\/s16000\/Resoker.exe%2520%28Source%2520-%2520K7%2520Security%2520Labs%29.webp?ssl=1\")
![\"Mutex](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmQjl_hve6d646rHtvTkiLgLRc8uFJkBhHtJWNfNXffwitAaJHu_1T8ojfZCjkg8hxmRN2ZhTeEezRV3KOZUJdX9bgJHdMDkdyMUaE_eYZkFECj7Ke4o5aJwq3YCYjIB-ARv6uX_ekpw5PmGrvQOaMyUfmxg83dA5WKPwCTV0z0ppvPkJYczt8S4fx7ug\/s16000\/Mutex%2520Creation%2520%28Source%2520-%2520K7%2520Security%2520Labs%29.webp?ssl=1\")
![\"Anti-Analysis](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhy5PqofzAWUybTu4pcRg5IJAdozQCgU42ScqwGTrqjdqX78EnlCviL2Ou6qAYeYQ3pjPDra_0BTHZfJFKAqrV-WKSF2YKUpOouFnrXVKhfjlDWg5QyZe84KDUxoknOEq3663S071JQFBMkLaBRA62E6iOWvWjdSP5Oum2FplCqU_MEe9FPQ92p1_F6CDk\/s16000\/Anti-Analysis%2520Debugger%2520Check%2520%28Source%2520-%2520K7%2520Security%2520Labs%29.webp?ssl=1\")
![\"Keyboard](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiIC33wd-rcwh2Up6UcSDC8VeHWNM4s3cjgngIyPDWrpjIjtVuRV03owPpYqdhaw03Vlz4ZUiMqXO8eKVdRsCf8E9xqicFKm_LPJdE_qjN_kp9W5gVDNHNjBnaYe0EANLJk6cqzzVonnNm8ltXUIRlPIjClyGWtfisSEAMCW84HdECMjs4GdDOL08fX500\/s16000\/Keyboard%2520Hook%2520Using%2520SetWindowsHookExW%2520%28Source%2520-%2520K7%2520Security%2520Labs%29.webp?ssl=1\")
Command-and-Control via Telegram<\/strong><\/h2>\n
![\"Telegram](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjGv-DenNxa-Mez16zhCS0B5e-67SkknEu03diXsF2MCNHvvmDYC3ICVmezIo4qaX90JE7Xx1CQ0_pebLL2W8wsWDgX746-PcH9QGxGgyPkWqujHN0Ff8ey79WK0X2ql7k6__Vh4Npj9zVZ8Ok8T_ipUOeTFDrxIYHFNDXw4DRnOPaT4zf4MhcgEhKBTr4\/s16000\/Telegram%2520Bot%2520API%2520URL%2520Used%2520for%2520C2%2520Communication%2520%28Source%2520-%2520K7%2520Security%2520Labs%29.webp?ssl=1\")
![\"Command-and-Control](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiJavnNmTzsgMEx_Tt3VyAkDFCeA_mB8ykA_MoUrM7iBvifGg7rtJ3SIOk6JaJYXcDijmpTe7TUc1lMthX69pUyBfcaUmS8_r9gLw9D7KBPwieTnIxbaNN85YKfJnxUaSAQCTwjxfFCdAuwtkIN-C3HMyKltEfBrL2RJijBhv9rgkf6EgyPLlIMmn8w6vU\/s16000\/Command-and-Control%2520Traffic%2520Observed%2520in%2520Wireshark%2520%28Source%2520-%2520K7%2520Security%2520Labs%29.webp?ssl=1\")