high🐀RAT

publishedMarch 12, 2026

Resoker RAT: First Report on a Telegram-Controlled Trojan With Every OPSEC Failure in the Book

Threat Actors:ProfileAssessmentTimeline

#rat#c2#exploit#malware-analysis#apt

TL;DR: Resoker is a previously unreported, custom-built Remote Access Trojan written in native C++ for 64-bit Windows that uses the Telegram Bot API as its sole command-and-control channel. Compiled just one day before analysis on March 9, 2026, the sample communicates through a bot named @soromonprrat_bot (display name: "ratt") using a hardcoded and still-active bot token. The operator left extraordinary OPSEC failures in the binary: a PDB debug path revealing the Windows username "tele7" and project directory in the Downloads folder, a distinctive "User-Agent: Resoker" HTTP header, a globally unique mutex name, and cleartext strings throughout. The RAT supports screenshot capture, file download, keylogging, Task Manager suppression, UAC manipulation, and registry-based persistence. This is the first known public analysis of the Resoker malware family -- no prior reporting exists in any public threat intelligence feed.

Background

Telegram-based RATs have proliferated over the past several years, exploiting the Telegram Bot API as a free, encrypted, and highly available command-and-control channel. The vast majority of these RATs are written in Python or .NET, making them relatively easy to analyze and detect. Resoker breaks from this pattern by being compiled as native C++ -- harder to decompile, less detectable by AV solutions optimized for managed code, and more capable of low-level system interaction.

Despite the native code implementation, the operator's operational security is remarkably poor. The sample contains enough identifying information to link it to a specific developer, a specific GitHub account, and potentially a specific individual. This report documents what happens when moderate technical skill meets minimal security awareness.

Key Findings

Resoker does not appear in MalwareBazaar, ThreatFox, VirusTotal threat feeds, MITRE ATT&CK, Microsoft Defender encyclopedia, Kaspersky Threats, or any other public threat intelligence source. This is a first report.
The hardcoded Telegram bot token (8679995457:AAHiI3UDWmJaj4etgI4fAZK_wo4KJfhXLWc) is live and responding as of March 10, 2026. The bot username is @soromonprrat_bot with display name "ratt."
The PDB path C:\Users\tele7\Downloads\tgrat\resoker\x64\Release\resoker.pdb reveals the operator's Windows username ("tele7"), that the project was in their Downloads folder (suggesting downloaded or cloned source code), and the project hierarchy ("tgrat/resoker").
The binary was compiled on March 9, 2026, at 06:35:34 UTC -- one day before analysis.
Despite being native C++ (MSVC 14.44, Visual Studio 2022), the RAT delegates complex operations like screenshots and file downloads to PowerShell, suggesting the developer is more comfortable with scripting than C++ networking.
The User-Agent string "Resoker" is used for all HTTP communication, creating a trivially detectable network fingerprint.
A GitHub account matching the username "tele7" exists, created August 10, 2022, with a fork of the Sui blockchain project (MystenLabs/sui) indicating cryptocurrency interest.

Attack Chain

Delivery

The delivery mechanism for Resoker is unknown. Given the project's location in the developer's Downloads folder, the limited feature set, and the absence of builder/panel infrastructure, this is likely a personal tool or early-stage project not yet broadly distributed.

Execution Flow

1. Execution (resoker.exe)
   |
   +-- FreeConsole()              -- Hide console window
   +-- CreateMutexW()             -- Global\ResokerSystemMutex (single instance)
   +-- IsDebuggerPresent()        -- Anti-debugging check
   +-- AdjustTokenPrivileges()    -- Acquire SeDebugPrivilege
   |
   +-- [Thread 1] Keylogger
   |   +-- SetWindowsHookExW()    -- Low-level keyboard hook
   |   +-- GetAsyncKeyState()     -- Backup polling
   |   +-- Output: resoker.log    -- Timestamped keystroke log
   |
   +-- [Thread 2] Watchdog
   |   +-- Monitors bot thread    -- Restarts on failure
   |
   +-- [Thread 3] Bot Polling
       +-- getUpdates (timeout=5) -- Long-polling Telegram API
       +-- Command dispatch       -- /screenshot, /download, /block_taskmgr, etc.
       +-- Process killing        -- taskmgr.exe, procexp.exe, ProcessHacker.exe

Persistence

When the /startup command is issued, Resoker copies itself to a location and adds a registry run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run for automatic execution at user login.

Infrastructure Analysis

The Telegram C2 Model

Resoker uses the Telegram Bot API exclusively for command and control. There is no traditional server infrastructure to map.

Component	Value	Status
C2 Protocol	Telegram Bot API (HTTPS)	LIVE
Bot Token	`8679995457:AAHiI3UDWmJaj4etgI4fAZK_wo4KJfhXLWc`	ACTIVE
Bot Username	@soromonprrat_bot	ACTIVE
Bot Display Name	"ratt"	--
Bot ID	8679995457	--
Polling Method	getUpdates (long-polling, timeout=5)	--
Pending Updates	1 at time of check	--

The bot uses long-polling mode rather than webhooks. This is significant for defenders:

No attacker server exposed: Unlike webhook mode, where Telegram pushes updates to an attacker-controlled URL, long-polling means the attacker's client fetches updates from Telegram's servers. There is no webhook URL to extract from the bot configuration.
Attribution limitations: The only infrastructure identifier is the bot token itself. The attacker connects to api.telegram.org from their own network, but this connection is not observable to external analysts.
Monitoring opportunity: Knowing the bot token allows monitoring of the bot's public information (username, display name, photo) and potentially detecting when the operator sends commands through update observation (though the API restricts this to the token holder).

Developer Machine Profile

The PDB path and binary metadata reveal the developer's environment:

Attribute	Value	Source
Windows Username	tele7	PDB path
Project Path	C:\Users\tele7\Downloads\tgrat\resoker\	PDB path
Build Configuration	x64 Release	PDB path
Compiler	MSVC 14.44 (Visual Studio 2022)	Linker version
Target OS	Windows 6.0+ (Vista/Server 2008)	PE header

The fact that the project lives in Downloads\tgrat\resoker\ is telling. The "tgrat" parent directory suggests a collection of Telegram RAT projects, and the Downloads location suggests the code was downloaded (possibly from a tutorial, GitHub repository, or underground forum) rather than developed from scratch in a dedicated workspace.

GitHub Account

A GitHub account matching the username "tele7" exists:

Attribute	Value
Profile URL	github.com/tele7
Account Created	2022-08-10
Last Profile Update	2023-03-09
Notable Repository	Fork of MystenLabs/sui (Sui blockchain)

The Sui blockchain fork indicates cryptocurrency interest, which could hint at the operator's motivation -- possibly developing RAT capabilities as a precursor to cryptocurrency theft, though this is speculative.

The three-year gap between the last GitHub activity (March 2023) and the Resoker compilation (March 2026) suggests either the operator uses other platforms for development or has been inactive on this account.

Malware Analysis

Binary Profile

Attribute	Value
SHA256	`7d09d90d62933d39fed10886140559fea3bfc5720375d6053245da24c9d713e9`
MD5	`7a1d6c969e34ea61b2ea7a714a56d143`
File Type	PE32+ executable (GUI) x86-64
Size	~77 KB
Compilation	2026-03-09T06:35:34 UTC
Compiler	MSVC 14.44 (Visual Studio 2022)
Subsystem	Windows GUI
Entry Point	0x14000a2b8
Packing	None

The binary is compact at approximately 77 KB, with no packing or obfuscation. Section entropy ranges from 2.22 to 6.14 -- all within normal ranges, confirming the absence of runtime decryption or unpacking routines. The manifest requests asInvoker execution level, meaning it does not auto-elevate and must use the /elevate command to request administrator privileges via UAC.

PE Section Layout

Section	Raw Size	Entropy	Purpose
.text	43,008	6.14	Executable code
.rdata	30,208	5.42	Read-only data, strings, imports
.data	1,024	3.14	Initialized data
.pdata	2,560	4.08	Exception handling
.rsrc	512	4.71	Resources (manifest only)
.reloc	512	2.22	Relocations

Import Analysis

The import table provides a clear map of Resoker's capabilities:

KERNEL32.dll (34 imports) -- Core Operations: Process enumeration via CreateToolhelp32Snapshot/Process32FirstW/Process32NextW enables the RAT to find and kill analysis tools. CreateThread supports the multi-threaded architecture (keylogger, bot polling, and watchdog threads). CopyFileA and GetModuleFileNameA handle self-copying for persistence. CreateMutexW enforces single-instance execution. FreeConsole hides the console window. IsDebuggerPresent provides basic anti-debugging.

USER32.dll (11 imports) -- Keylogger and UI: SetWindowsHookExW installs the low-level keyboard hook, while GetAsyncKeyState provides polling-based key detection as a backup mechanism. RegisterClassW and CreateWindowExW create the hidden message window (class name: ResokerHiddenClass) needed for the keyboard hook's message pump.

ADVAPI32.dll (8 imports) -- Privilege and Registry: AdjustTokenPrivileges/OpenProcessToken/LookupPrivilegeValueW handle SeDebugPrivilege acquisition for cross-process operations. RegOpenKeyExA/RegSetValueExA/RegQueryValueExA/RegCloseKey handle persistence (Run key) and Task Manager/UAC suppression through registry manipulation.

WININET.dll (4 imports) -- HTTP Communication: InternetOpenA (which sets the distinctive "Resoker" User-Agent), InternetOpenUrlA, InternetReadFile, and InternetCloseHandle handle all HTTP communication with the Telegram Bot API.

SHELL32.dll (1 import): ShellExecuteExA with the "runas" verb handles UAC elevation requests.

Command Set

Command	Function	Implementation
/screenshot	Capture full screen	PowerShell: System.Windows.Forms screenshot, sent via /sendPhoto
/download [URL] [name]	Download file to victim	PowerShell: WebClient.DownloadFile
/block_taskmgr	Disable Task Manager	Registry: DisableTaskMgr = 1
/unblock_taskmgr	Re-enable Task Manager	Registry: DisableTaskMgr = 0
/startup	Add persistence	Registry: CurrentVersion\Run
/uac_min	Disable UAC prompts	Registry: ConsentPromptBehaviorAdmin=0, PromptOnSecureDesktop=0
/uac_max	Restore UAC maximum	Registry: ConsentPromptBehaviorAdmin=2, PromptOnSecureDesktop=1
/elevate	Request admin rights	ShellExecuteExA with "runas" verb
/help	Display command list	Returns formatted help text

The command set is functional but limited compared to commercial RATs. Notably absent are: credential harvesting, browser data theft, cryptocurrency wallet stealing, file exfiltration, reverse shell, webcam/microphone capture, and clipboard monitoring. This suggests Resoker is either early in development or designed for targeted surveillance rather than mass data theft.

Keylogger Implementation

The keylogger runs in a dedicated thread using two complementary capture methods:

SetWindowsHookExW: Installs a low-level keyboard hook (WH_KEYBOARD_LL) that intercepts keystrokes system-wide, including in elevated applications if SeDebugPrivilege has been acquired.
GetAsyncKeyState: Provides polling-based key state detection as a fallback mechanism for situations where the hook may not trigger.

Keystrokes are logged to resoker.log with timestamps in %Y-%m-%d %H:%M:%S format. The log file is written locally and is not automatically exfiltrated -- the operator would need to use the /screenshot command to view the log file or implement additional exfiltration manually.

Communication Protocol

The Telegram Bot API communication follows a straightforward pattern:

Initialization: InternetOpenA("Resoker", ...) sets up WININET with the distinctive User-Agent
Polling: HTTP GET to https://api.telegram.org/bot<TOKEN>/getUpdates?offset=<N>&timeout=5
Parsing: Manual string searching for "update_id":, "chat":{"id":, and "text":" fields -- no JSON library is used
Authorization: The sender's chat ID is compared against an authorized operator ID
Text response: POST to /sendMessage with chat_id and parse_mode=HTML
File upload: POST to /sendPhoto with multipart form data (delegated to PowerShell)

The manual JSON parsing (searching for specific string patterns rather than using a JSON library like nlohmann/json or RapidJSON) is characteristic of a developer with moderate but not expert C++ skills. It works for the simple response structures returned by the Telegram Bot API but would break on unexpected field ordering or nested structures.

Anti-Analysis Features

Technique	Implementation	Effectiveness
Console hiding	FreeConsole() + hidden window class	LOW -- trivially detectable by other means
Anti-debug	IsDebuggerPresent()	LOW -- trivially bypassed
Process killing	Terminates taskmgr.exe, procexp.exe, ProcessHacker.exe	MEDIUM -- annoying but not comprehensive
Privilege escalation	SeDebugPrivilege token adjustment	MEDIUM -- enables cross-process operations
UAC bypass	Registry-based UAC silencing	MEDIUM -- requires admin rights to set
Watchdog	Automatic bot thread restart	MEDIUM -- provides resilience against transient failures
Single instance	Global\ResokerSystemMutex	LOW -- prevents multiple copies but reveals presence

The anti-analysis capabilities are basic. There is no sandbox detection, no timing checks, no virtual machine detection, no thread injection, and no process hollowing. The IsDebuggerPresent check is the most elementary anti-debugging technique available and is bypassed by virtually every analysis environment.

PowerShell Delegation

A notable architectural decision is the delegation of screenshot capture and file downloads to PowerShell rather than implementing them through native C++ APIs:

Screenshots: powershell -WindowStyle Hidden -Command "[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); ..." rather than using GDI+ or Direct3D capture
File downloads: powershell -WindowStyle Hidden -Command "(New-Object Net.WebClient).DownloadFile(...)" rather than using WININET (which is already imported)

This suggests the developer is more fluent in PowerShell than in C++ networking, which raises the question of why native C++ was chosen at all. The likely answer is that C++ provides better AV evasion for the core RAT binary, while PowerShell handles tasks the developer found difficult to implement natively.

Threat Actor Profile

Attribution Assessment

Confidence: LOW

Evidence	Implication
PDB username: tele7	Developer's Windows account
GitHub: github.com/tele7	Matching account (created 2022)
GitHub interest: Sui fork	Cryptocurrency interest
Bot name: soromonprrat_bot	Personal name pattern "soromonpr" + "rat"
Project in Downloads	Downloaded/studied source, then customized
PowerShell delegation	Scripter learning C++
No builder/panel	Personal tool, not commercial
OPSEC failures	Inexperienced in operational security

The profile that emerges is an individual with moderate programming skills (comfortable with PowerShell, learning C++), interest in cryptocurrency, and minimal operational security awareness. The project appears to be a personal tool or learning exercise rather than a commercial product. The "soromonpr" portion of the bot name may be a personal name or alias, but it does not match any known language pattern with high confidence.

OPSEC Failure Catalog

The number and severity of OPSEC failures in this sample is extraordinary:

#	Failure	Severity	Detection Value
1	Hardcoded active Telegram bot token	CRITICAL	Full C2 channel identified and monitorable
2	PDB debug path with Windows username	HIGH	Operator machine username "tele7"
3	Project path in Downloads folder	MEDIUM	Indicates downloaded source code
4	Distinctive User-Agent "Resoker"	HIGH	Unique, trivially detectable network fingerprint
5	Unique mutex Global\ResokerSystemMutex	HIGH	Unique host-based detection indicator
6	Unique window class ResokerHiddenClass	MEDIUM	Additional host-based indicator
7	Bot display name "ratt"	LOW	Explicitly confirms malicious intent
8	Cleartext status strings with emojis	MEDIUM	Easy triage and classification
9	No obfuscation or packing whatsoever	MEDIUM	Full static analysis without unpacking

Any single one of these would be a significant mistake. Together, they make Resoker one of the most attributable malware samples we have analyzed.

Detection Guidance

YARA Rule Summary

Detection rules should target the constellation of unique indicators:

String-based detection: The mutex name "Global\ResokerSystemMutex", window class "ResokerHiddenClass", User-Agent "Resoker", and PDB path pattern "tgrat\resoker" provide multiple high-confidence detection points.
Behavioral patterns: The combination of SetWindowsHookExW import with InternetOpenUrlA import and DisableTaskMgr registry string.
Telegram Bot API patterns: The bot token format and API URL patterns.

Suricata Rule Summary

Network detection is straightforward:

User-Agent matching: Any HTTP request with User-Agent: Resoker is a high-confidence indicator.
Telegram Bot API traffic: HTTPS connections to api.telegram.org with the specific bot token in the URL path.
PowerShell download patterns: PowerShell-initiated downloads following Telegram API polling traffic.

Endpoint Detection

Mutex: Search for Global\ResokerSystemMutex in handle tables
Registry: Monitor for DisableTaskMgr and ConsentPromptBehaviorAdmin modifications
Files: Search for resoker.exe and resoker.log on disk
Window class: Search for windows with class name ResokerHiddenClass
Process tree: PowerShell child processes spawned by an unknown parent with the GUI subsystem
Registry Run key: New entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Run referencing resoker

Telegram Bot Monitoring

The active bot token provides a unique monitoring opportunity. While the Telegram Bot API restricts getUpdates to the token holder, the /getMe endpoint is accessible and can be monitored for changes to the bot profile. Additionally, the bot can be reported to Telegram for abuse, which may result in token revocation and C2 disruption.

IOCs (Defanged)

Network Indicators

# C2 Endpoint
api[.]telegram[.]org

# Bot API Base URL
hxxps://api[.]telegram[.]org/bot8679995457:AAHiI3UDWmJaj4etgI4fAZK_wo4KJfhXLWc/

# Bot Identifiers
Bot Username:     @soromonprrat_bot
Bot ID:           8679995457
Bot Display Name: ratt

# HTTP Header
User-Agent: Resoker

File Indicators

SHA256: 7d09d90d62933d39fed10886140559fea3bfc5720375d6053245da24c9d713e9
MD5:    7a1d6c969e34ea61b2ea7a714a56d143

Filenames:
  resoker.exe     -- Installed binary
  resoker.log     -- Keylogger output

Behavioral Indicators

Mutex:            Global\ResokerSystemMutex
Window Class:     ResokerHiddenClass
PDB Path:         C:\Users\tele7\Downloads\tgrat\resoker\x64\Release\resoker.pdb

Registry Keys:
  HKCU\Software\Microsoft\Windows\CurrentVersion\Run           -- Persistence
  HKCU\...\Policies\Microsoft\Windows\System\DisableTaskMgr    -- Task Manager suppression
  HKLM\...\Policies\System\ConsentPromptBehaviorAdmin          -- UAC manipulation
  HKLM\...\Policies\System\PromptOnSecureDesktop               -- UAC manipulation

Privilege:        SeDebugPrivilege

Killed Processes: taskmgr.exe, procexp.exe, ProcessHacker.exe

Developer Indicators

Windows Username: tele7
GitHub Account:   github.com/tele7 (created 2022-08-10)
GitHub Interest:  MystenLabs/sui fork (Sui blockchain)
Bot Name Pattern: soromonprrat (possible personal name + "rat")

MITRE ATT&CK Mapping

Tactic	Technique	ID
Execution	PowerShell	T1059.001
Execution	Native API	T1106
Persistence	Registry Run Keys	T1547.001
Privilege Escalation	Bypass UAC	T1548.002
Defense Evasion	Disable or Modify Tools	T1562.001
Defense Evasion	Hidden Window	T1564.003
Defense Evasion	Debugger Evasion	T1622
Credential Access	Keylogging	T1056.001
Discovery	Process Discovery	T1057
Collection	Screen Capture	T1113
Command and Control	Web Protocols	T1071.001
Command and Control	Bidirectional Communication	T1102.002
Exfiltration	Over C2 Channel	T1041

Recommended Actions

Immediate (24-48 hours):

Deploy YARA and Suricata detection rules into EDR/IDS/IPS
Hunt for User-Agent "Resoker" in proxy logs and SIEM
Search endpoints for Global\ResokerSystemMutex via EDR handle enumeration
Report the bot token to Telegram abuse for takedown (@soromonprrat_bot, bot ID 8679995457)
Alert on DisableTaskMgr and ConsentPromptBehaviorAdmin registry writes

Short-term (1-2 weeks):

Submit the sample to MalwareBazaar with tags: Resoker, TelegramRAT, keylogger
Submit the bot token URL to ThreatFox as a C2 indicator
Monitor for variants sharing the same PDB path pattern or mutex name

Medium-term (1-3 months):

Monitor the Telegram bot getUpdates endpoint (if token remains active) for operator activity patterns
Track for Resoker samples with updated tokens, added obfuscation, or expanded capabilities
Publish IOCs to MISP, OTX, and community threat feeds
Monitor the tele7 GitHub account for new activity or repository creation

Conclusion

Resoker is not a sophisticated threat. It lacks the capabilities of commercial RATs, the obfuscation of advanced malware, and the operational security of experienced threat actors. What makes it noteworthy is that it represents the first documented instance of this malware family, it uses native C++ in a landscape dominated by managed-code Telegram RATs, and the extraordinary number of OPSEC failures provides a case study in what not to do when building malware.

For defenders, Resoker is a gift: a unique User-Agent, a unique mutex, a unique window class, an active bot token, a PDB path with a username, and zero obfuscation. Detection is trivial. The primary risk is that the developer learns from these mistakes and produces a more evasive second version -- which is why documenting and sharing these indicators now, while the tool is young, is critical.

References

AlienVault OTX: File indicator 7a1d6c969e34ea61b2ea7a714a56d143
Telegram Bot API documentation
PT Security: TgRAT analysis (precedent for Telegram-based C2)
MITRE ATT&CK: T1102.002 (Bidirectional Communication via Web Service)
GitHub: tele7 user profile

Published by Breakglass Intelligence -- intel.breakglass.tech Investigation conducted 2026-03-10