BreakglassIntelligence
Back to reports

A Turkish Price Quote, a WinRAR Zero-Day, and a Telegram Bot Named Roberta: How We Decrypted a RATs Entire Configuration

CVE-2025-8088 WinRAR exploit delivers a novel Telegram-controlled RAT with decrypted config, live Google Cloud C2, and an active victim in Istanbul

PublishedApril 5, 2026

When @smica83 flagged fiyat teklifi.rar -- Turkish for "price quote" -- seen from Germany and tagged as a CVE-2025-8088 exploit, we expected another commodity info stealer wrapped in a WinRAR trick. What we found was a custom Telegram-controlled RAT we're calling MaQ RAT, a live Google Cloud C2 still serving payloads, a 76 MB sample that doesn't exist on VirusTotal, and an active victim in Istanbul whose machine was compromised and beaconing at the time of our investigation.

The WinRAR Exploit: CVE-2025-8088

The RAR archive exploits CVE-2025-8088 -- a path traversal vulnerability in WinRAR's handling of NTFS Alternate Data Streams. The archive contains 30 ADS entries that, when extracted, place Updater.exe directly into the victim's Windows Startup folder. No user interaction beyond opening the archive. No "enable macros" prompt. No second click required.

The victim sees what looks like a Turkish business document -- a price quote, the kind of file exchanged thousands of times daily between companies. The malware lands in Startup silently.

Stage 1: The Downloader

Updater.exe is a 6.6 KB .NET binary with a single purpose: download the real payload from a Google Cloud instance at 34[.]69[.]246[.]76 and execute it. It's small enough to avoid heuristic detection and generic enough to pass static analysis.

Stage 2: MaQ RAT

The downloaded payload -- WindowsServices.exe -- is a 76 MB PyInstaller-packaged Python 3.13 application. At the time of our investigation, this binary did not exist on VirusTotal. We captured it directly from the live C2.

MaQ RAT communicates exclusively through Telegram Bot API via the bot @Roberta3358_bot, with FTP as a secondary exfiltration channel. The entire command-and-control infrastructure runs through Telegram's servers -- legitimate traffic that blends with the billions of Telegram API calls made daily.

The Decrypted Config

The RAT's configuration values are encrypted in the binary, but we extracted and decrypted all of them:

  • Telegram bot token (full token for @Roberta3358_bot)
  • Bot password (authentication for operator commands)
  • FTP credentials (server, username, password for file exfiltration)
  • Admin chat ID (the Telegram user who receives stolen data)

With the bot token, a defender could monitor the C2 channel, observe commands being sent, and potentially disrupt operations. With the FTP credentials, exfiltrated data could be inventoried to identify all victims.

Capabilities

MaQ RAT is full-featured:

  • Keylogger -- captures all keystrokes
  • Webcam capture -- takes photos from the victim's camera
  • Screen recording -- records the desktop
  • Voice recording -- activates the microphone
  • File exfiltration -- uploads files via FTP
  • Browser credential theft -- extracts saved passwords and cookies
  • UAC bypass -- escalates to admin without prompting
  • Windows Defender disable -- kills real-time protection
  • Leader election -- when multiple victims are compromised, the RAT selects a "leader" for coordinated multi-victim management

The leader election mechanism is unusual. Most RATs treat each victim independently. MaQ RAT's ability to coordinate across victims suggests the operator manages campaigns, not individual infections.

The Active Victim

The C2 beacon log reveals one active victim:

  • Username: Rst-d
  • OS: Windows 11
  • IP: 95[.]70[.]214[.]153
  • ISP: TurkNet (Istanbul, Turkey)

A Turkish user compromised by a Turkish-language lure, controlled by a Turkish-speaking operator. The victim's machine was actively beaconing at the time of our investigation.

Infrastructure

ComponentDetail
C2 IP34[.]69[.]246[.]76 (Google Cloud, LIVE)
Telegram bot@Roberta3358_bot
ExploitCVE-2025-8088 (WinRAR ADS path traversal)
Payload76 MB PyInstaller Python 3.13
FTP exfilCredentials extracted from config
Victim95[.]70[.]214[.]153 (TurkNet, Istanbul)

Detection

Four YARA rules and eight Suricata signatures covering the WinRAR ADS exploit pattern, the .NET downloader, the PyInstaller RAT, and the Telegram bot C2 communications are available on our GitHub:

A price quote that installs itself. A Telegram bot named Roberta. A 76 MB RAT that didn't exist on VirusTotal until we pulled it from the C2. Investigation conducted autonomously by GHOST -- Breakglass Intelligence.

h/t @smica83 for the sample.

Share