Meta Description
A new ResokeRAT malware campaign is using Telegram as command and control infrastructure to steal credentials and maintain persistence. This technical analysis explains how the attack works and what organizations must do now.
Introduction
Cybercriminals are increasingly shifting away from traditional command and control infrastructure and instead leveraging trusted platforms to operate in plain sight. One platform that has become central to this evolution is Telegram.
The emergence of ResokeRAT, a Telegram-based remote access trojan, highlights how attackers are abusing legitimate services to simplify operations, evade detection, and scale attacks rapidly.
Rather than building complex infrastructure, attackers now rely on Telegram bots and APIs to control infected systems and exfiltrate data, making these campaigns more resilient and harder to disrupt.
What Happened
Security researchers uncovered a new malware campaign deploying ResokeRAT, a remote access trojan that uses Telegram as its primary communication channel.
The malware is distributed through typical infection vectors such as:
Phishing emails
Malicious downloads
Trojanized software installers
Once executed, ResokeRAT establishes communication with attacker-controlled Telegram bots, allowing operators to:
Send commands to infected machines
Receive stolen data in real time
Maintain persistent remote access
This approach removes the need for dedicated command-and-control servers, making the attack infrastructure more difficult to detect and shut down.
Why Telegram Is Being Used by Attackers
Telegram has become a preferred tool for cybercriminals due to its flexibility and accessibility.
Key advantages include:
No need to maintain dedicated C2 infrastructure
Built-in encryption and global accessibility
Easy automation through bot APIs
Rapid channel creation and recovery if taken down
Security research confirms that Telegram is now widely used for data exfiltration, command execution, and malware coordination, effectively replacing traditional infrastructure in many campaigns .
This shift represents a major evolution in how cyberattacks are managed.
How the Attack Chain Works
The ResokeRAT campaign follows a structured multi-stage attack chain.
Initial Access
Victims are tricked into downloading and executing a malicious file through phishing or fake software.
Payload Execution
The malware installs itself and begins executing in the background, often using obfuscation techniques to avoid detection.
Telegram-Based Command and Control
ResokeRAT connects to a Telegram bot using the Telegram API, enabling real-time communication with attackers.
Credential Theft and Data Collection
The malware collects:
Browser credentials
Session cookies
System information
Potentially sensitive files
Data Exfiltration
Stolen data is sent directly to attacker-controlled Telegram channels or bots.
Common Techniques Used in the Campaign
ResokeRAT leverages a combination of modern malware techniques.
Living-Off-Trusted Infrastructure
Using Telegram instead of traditional servers to avoid detection.
Credential Harvesting
Extracting login data from browsers and applications.
Remote Command Execution
Allowing attackers to control infected systems in real time.
Persistence Mechanisms
Ensuring the malware remains active even after system restarts.
Obfuscation and Evasion
Using encryption and code obfuscation to bypass security tools.
These techniques make the malware both stealthy and effective.
Why This Campaign Is Dangerous
This campaign is particularly concerning because it blends into legitimate network activity.
Key risks include:
Telegram traffic often appears legitimate
No obvious malicious infrastructure to block
Fast recovery if channels are removed
Low barrier to entry for attackers
Telegram’s role as a cybercrime operational hub means attackers can easily scale campaigns and coordinate attacks without specialized infrastructure .
Potential Impact on Organizations
If successful, ResokeRAT infections can lead to serious consequences.
Possible impacts include:
Unauthorized remote access to systems
Credential theft and account takeover
Data exfiltration and espionage
Lateral movement within networks
Deployment of additional malware
Because attackers gain persistent access, the threat can remain active for long periods.
What Organisations Should Do Now
Organizations must take proactive steps to defend against Telegram-based malware.
Recommended actions include:
Block or monitor access to Telegram APIs where not required
Implement strong endpoint detection and response solutions
Enforce multi-factor authentication across systems
Restrict execution of unknown files and scripts
Train employees to identify phishing attempts
Reducing reliance on user trust is critical in preventing initial compromise.
Detection and Monitoring Strategies
Security teams should monitor for:
Connections to Telegram API endpoints
Unusual outbound traffic patterns
Unauthorized process execution
Credential access anomalies
Suspicious persistence mechanisms
Experts recommend restricting access to Telegram infrastructure if it is not required for business operations .
The Role of Penetration Testing
Penetration testing helps identify weaknesses that allow malware deployment.
Testing should include:
Phishing simulation campaigns
Endpoint compromise scenarios
Credential harvesting simulations
Detection and response validation
These exercises help organizations understand how attackers exploit trusted platforms.
Key Takeaway
The ResokeRAT campaign demonstrates how attackers are increasingly leveraging legitimate platforms like Telegram to conduct cyberattacks. By eliminating the need for traditional infrastructure, these threats become harder to detect, block, and disrupt.
Organizations must adapt by focusing on behavioral monitoring, identity security, and strict control of external communication channels to defend against this evolving threat landscape.
