A newly discovered Remote Access Trojan (RAT) dubbed ZynorRAT is raising alarms among security researchers for its cross-platform capabilities and stealthy command-and-control (C2) infrastructure.
First submitted to VirusTotal on July 8, 2025, ZynorRAT’s Go-based binaries for Linux and Windows offer a comprehensive suite of attacker-controlled functions via a Telegram bot, signaling an evolution in malware sophistication and automation.
Modular Attack Framework Leveraging Telegram C2
ZynorRAT establishes its C2 channel through Telegram, embedding the bot token and chat identifier directly in the Go binary.
Upon execution, the RAT polls the Telegram API for commands, executing recognized instructions natively or defaulting to shell execution when commands do not match predefined handlers.
A hardcoded list of commands supports file exfiltration (/fs_get), directory enumeration (/fs_list), process listing (/proc_list), system profiling (/metrics), screenshot capture (/capture_display), persistence installation, and remote shell execution.
The /metrics handler invokes an HTTP request to https://api.ipify.org to retrieve the victim’s public IP, gathers the hostname and current user via Go’s os and os/user packages, then transmits this data back to the Telegram bot.
Directory and process listings employ Go’s runtime.growslice and os/exec packages to concatenate output strings dynamically before sending them through the Telegram API.
File exfiltration is handled by the sendDocument function, which constructs a multipart form payload including the file’s byte buffer and posts it to Telegram’s sendDocument endpoint.
Screenshot capture leverages the open-source kbinani/screenshot library, encoding PNG frames in memory and exfiltrating them via the same multipart API call.
Persistence, Evasion, and Early Stage Development
On Linux, ZynorRAT achieves persistence by deploying a systemd user-service unit under ~/.config/systemd/user/system-audio-manager.service. The service executes the RAT binary on user login and ensures automatic restarts.
Windows binaries appear identical in logic but retain Linux-specific persistence code, suggesting the Windows variant remains under development. Multiple uploads to VirusTotal demonstrate a reduction in detection rates, from 22/66 scanners initially to 16/66 on the second submission, indicating active refinement by the developer.
Indicators of compromise gathered from Telegram C2 logs reveal a mixture of cloud-provider IPs (Google, Amazon EC2) and Turkish network ranges. Reverse engineering uncovered artifacts referencing “halil,” pointing to a probable single-developer origin based in Turkey.
Continued monitoring of underground forums and Telegram channels anticipates a commercial release once development stabilizes.
Detection and Mitigation
Sysdig Secure users benefit from dedicated runtime rules and a YARA signature (MAL_ZYNOR) that detects ZynorRAT in ELF binaries via string matches for main.handleShellCommand, main.handlePersistence, and Telegram API URL patterns.
Runtime notable events for DNS reconnaissance and suspicious domain lookups further flag C2 activity. Incident response teams should monitor for new systemd user services, unusual outgoing HTTPS requests to api.telegram.org, and unexplained process executions via Go-compiled binaries.
As ZynorRAT continues to evolve, defenders must maintain vigilant runtime monitoring and threat hunting to detect its modular functions.
Organizations are urged to update detection rules, enforce network egress controls, and audit user-service directories to mitigate this emerging cross-platform threat.
IoCs
Windows
- 037e5fe028a60604523b840794d06c8f70a9c523a832a97ecaaccd9f419e364a
- 47338da15a35c49bcd3989125df5b082eef64ba646bb7a2db1565bb413b69323
- c890c6e6b7cc6984cd9d9061d285d814841e0b8136286e6fd943013260eb8461
Linux
- 237a40e522f2f1e6c71415997766b4b23f1526e2f141d68ff334de3ff5b0c89f
- 48c2a8453feea72f8d9bfb9c2731d811e7c300f3e1935bddd7188324aab7d30d
- 4cd270b49c8d5c31560ef94dc0bee2c7927d6f3e77173f660e2f3106ae7131c3
- a6c450f9abff8a22445ba539c21b24508dd326522df525977e14ec17e11f7d65
- bceccc566fe3ae3675f7e20100f979eaf2053d9a4f3a3619a550a496a4268ef5
- 8b09ba6e006718371486b3655588b438ade953beecf221af38160cbe6fedd40a
- f9eb2a54e500b3ce42950fb75af30955180360c978c00d081ea561c86e54262d
Domains
- api.telegram.org
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
 dubbed ZynorRAT is raising alarms among security researchers.){kind=link}