During a recent threat hunting exercise, the Sysdig Threat Research Team (TRT) identified a new sample dubbed ZynorRAT.
This Go-based Remote Access Trojan (RAT) delivers a comprehensive suite of custom command-and-control (C2) capabilities for both Linux and Windows systems.
First uploaded to VirusTotal on July 8, 2025, ZynorRAT exhibits no significant overlap with known malware families, and multiple reuploads demonstrate the developer’s ongoing efforts to reduce its detection rate.
Leveraging Telegram as its C2 backbone, the malware’s streamlined management and automation suggest a planned transition to underground sales.
Based on analysis of Telegram channels, network logs, reverse-engineered strings, and VirusTotal telemetry, TRT attributes ZynorRAT’s origin to a Turkish developer.
ZynorRAT’s debut on VirusTotal under the filename “zynor” yielded detections by 22 of 66 security vendors.
A subsequent upload two days later saw detections drop to 16 of 66, underscoring active refinement by its author.
Its Linux variant compiles into an ELF 64-bit x86-64 executable of nearly 10 MB, retaining symbols and artifacts in clear text, which facilitated deep reverse engineering via radare2.
Seven distinct Linux samples shared identical functions and logic, confirming a stable feature set.
Upon deployment, ZynorRAT establishes a C2 link through a Telegram bot named “lraterrorsbot.”
All attacker instructions flow through the Telegram API, allowing ZynorRAT to support file exfiltration, system enumeration, screenshot capture, systemd-based persistence, and arbitrary shell command execution.
Directory listings are handled by the handleListDirectory function, which dynamically builds newline-delimited strings for transmission.
The handleMetrics function profiles victim machines by querying “api.ipify.org” for public IP, enumerating hostname and user, and forwarding details to the Telegram bot.
Process enumeration relies on invoking ps via Go’s os/exec package and combining output into C2 messages. File exfiltration is achieved through a multipart HTTP request in main.sendDocument, which streams the file bytes to Telegram.
Screenshot functionality leverages the open-source kbinani/screenshot library to capture display content, encode it as PNG, and transmit it via Telegram.
The executable zynor is still hosted on the website at the time of this writing.
Arbitrary commands default to shell execution under handleShellCommand, prefixing inputs with bash -c when unrecognized.
The Windows iteration of ZynorRAT compiles into a Windows executable but retains Linux-only persistence logic, including systemd service creation in ~/.config/systemd/user.
This anomaly indicates the Windows build remains under development, suggesting the author prioritized detection evasion testing over cross-platform completeness.
Despite this, the Windows binary still embeds the full suite of C2 functions, awaiting adaptation for Windows persistence mechanisms.
Mitigations
Telegram channel monitoring, conducted via long-polling scripts and Tosint extraction, revealed developer interactions and repeated use of the name “halil” in code artifacts and screenshots.
There are many screenshots from, plausibly, the attacker’s own test machines that show the attacker compiling and running the RAT using VSCode and the go run command.
These findings support the hypothesis of a single Turkish actor aiming to polish and monetize ZynorRAT.
Network logs extracted over ten days yielded numerous IP addresses, many belonging to major cloud providers such as Google (AS396982) and Amazon (AS16509), suggesting initial tests on ephemeral cloud instances rather than genuine victims.
Turkish ISPs like Turkcell (AS16135) also appeared, though attribution to test infrastructure or victimology remains uncertain.
Sysdig Secure customers benefit from existing runtime detections, including notable Sysdig Runtime events for suspicious DNS lookups and a Yara rule, MAL_ZYNOR, targeting ELF headers and Telegram API strings.
Recommended defenses include enforcing strict outbound DNS and HTTP controls, monitoring creation of atypical systemd user services, and deploying the provided Yara rule to detect ZynorRAT binaries.
Although RATs are ubiquitous in the threat landscape, ZynorRAT’s fully custom Go implementation and Telegram-based C2 sophistication underscore the evolving capabilities of emerging malware.
With high confidence that this tool will soon enter underground markets, organizations must prioritize runtime threat detection and rapid incident response to counter threats targeting both Linux and Windows environments.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
