ZynorRAT Malware
Cybersecurity researchers have identified a novel malware family, consisting of a Go-compiled remote access trojan (RAT) dubbed ZynorRAT. The implant targets both Linux and Windows hosts, is managed through a Telegram bot, and — based on available evidence — first appeared on July 8, 2025. Analysts report no code or behavioral overlap with previously cataloged families, suggesting a fresh implementation rather than a variant of an existing toolset.
Table of Contents
Technical profile — language, build, and cross-platform notes
ZynorRAT is implemented in Go, which allows a single codebase to produce binaries for multiple OS targets. The Linux build is feature-rich and exposes a broad set of capabilities for reconnaissance, data collection, and remote control. A Windows build has also been observed and appears functionally similar to the Linux variant; however, it still uses Linux-style persistence techniques (systemd services), implying the Windows artifact may be incomplete or under active development.
Capabilities — what the malware can do
The malware's primary mission is collection, exfiltration, and remote access, with Command-and-Control (C2) handled through a Telegram bot (identified as @lraterrorsbot, aka 'lrat'). Once deployed, ZynorRAT receives further instructions from that bot and performs tasks locally on the victim host. Key Linux capabilities include file browsing and exfiltration, system profiling, process listing and termination, screenshot capture, arbitrary command execution, and persistence via systemd.
Observed command endpoints (as implemented in the Linux build):
- /fs_list — enumerate directories
- /fs_get — exfiltrate files from the host
- /metrics — perform system profiling
- /proc_list — run the equivalent of ps to list processes
- /proc_kill — kill a process by PID
- /capture_display — take screenshots of the display
- /persist — establish persistence (systemd service)
Command-and-control and distribution — how the operator runs and spreads it
Telegram is ZynorRAT's C2 channel: the malware checks in with the @lraterrorsbot bot and receives commands over that medium. Screenshots and other artifacts shared through the Telegram bot show payloads being distributed via a file-sharing service called Dosya.co. Analysis of those screenshots indicates the author may have used machines they control to test or validate functionality (self-infection). Using a public messaging platform like Telegram as C2 provides ease of use for the operator and some level of operational flexibility, but it also creates clear indicators (bot handle, unusual Telegram traffic) that defenders can hunt for.
Attribution and timeline — what we can reasonably infer
Evidence points to activity beginning on July 8, 2025. Language artifacts in the bot chats and other recovered text suggest the operator may be Turkish or at least using Turkish language resources, and current analysis favors a single, likely lone actor rather than a group development effort. That said, attribution to a person or nation should remain cautious pending further corroboration.
Why this matters — novelty and malware-development trends
Although RATs are common, ZynorRAT is notable because it appears to be a clean-room implementation (no overlaps with known families) that implements automated, centralized controls via Telegram. Its cross-platform ambitions and the use of Go highlight the trend of relatively small operators producing capable multi-OS tooling quickly. Early-stage sophistication here shows how rapidly novel RATs can emerge and be fielded.
Concluding assessment
ZynorRAT represents a contemporary example of a lightweight but capable RAT built for cross-platform deployment and managed through an off-the-shelf messaging service. Its discovery underscores that even single operators can produce flexible remote access tools quickly using modern languages like Go. Organizations should treat Telegram-based C2 and unexpected use of consumer file-sharing services as high-priority hunt items, harden service creation on endpoints, and apply the mitigations listed above to reduce exposure.
