Novel ResokerRAT Malware Exploits Telegram API to Target Windows Systems

The resurgence of remote access trojans (RATs) has taken a novel turn with ResokerRAT, which co‑opts the widely used Telegram Bot API as its command‑and‑control channel. By embedding instructions in ordinary text messages, the malware blends into legitimate traffic, making detection by traditional network sensors challenging. This approach reflects a broader trend where threat actors exploit popular consumer platforms to bypass corporate firewalls and avoid raising suspicion among security teams.

From a technical standpoint, ResokerRAT employs several layers of evasion. It generates a mutex to prevent multiple copies from running, thereby reducing its footprint. Using ShellExecuteEx, it restarts itself with elevated privileges, while simultaneously enumerating and terminating monitoring utilities that could flag its activity. The malware also tampers with UAC‑related registry keys, effectively muting Windows security prompts that would otherwise alert users to privilege‑escalation attempts. These tactics enable prolonged, stealthy presence on compromised hosts, facilitating data theft or further payload delivery.

For organizations, the emergence of a Telegram‑based RAT underscores the need for refined monitoring strategies. Security teams should implement deep packet inspection to flag atypical Bot API calls, enforce strict application whitelisting, and regularly audit UAC and startup registry entries for unauthorized modifications. Endpoint detection and response (EDR) solutions must be tuned to recognize the characteristic process‑kill and relaunch patterns exhibited by ResokerRAT. As attackers continue to weaponize everyday communication tools, proactive threat hunting and continuous user education become essential components of a resilient cyber‑defense posture.