ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT

SUMMARY :

ZynorRAT is a newly discovered Go-based Remote Access Trojan that provides a full suite of command and control capabilities for Linux and Windows systems. It was first identified in July 2025 and is believed to be of Turkish origin. The malware uses Telegram as its C2 infrastructure and offers features such as file exfiltration, system enumeration, screenshot capture, persistence through systemd services, and arbitrary command execution. The Linux version is fully functional, while the Windows version appears to be in early development. The malware's author seems to be actively working on improving its detection avoidance. ZynorRAT's capabilities include discovery, exfiltration, persistence, and remote code execution on victim machines.

OPENCTI LABELS :

c2,remote access trojan,linux,telegram,windows,go-based,zynorrat,turkish


AI COMMENTARY :

1. ZynorRAT has emerged as a sophisticated Go-based Remote Access Trojan that has captured the attention of threat intelligence teams worldwide. First identified in July 2025, this novel malware demonstrates the rapid maturation of threat actors who leverage modern programming languages to craft cross-platform tools. Believed to be of Turkish origin, ZynorRAT challenges defenders with its modular design, extensive feature set, and reliance on Telegram for command and control communication.

2. The selection of Go as the development language for ZynorRAT offers significant advantages to its author. Go binaries compile into single, statically linked executables, simplifying deployment on both Linux and Windows systems without external dependencies. This characteristic allows the Linux variant to operate fully, while the Windows edition, although still in early development, hints at imminent parity in capabilities. The choice of Go also complicates reverse engineering efforts, as analysts must contend with unfamiliar constructs and stripped binaries that obscure function names and data structures.

3. At the heart of ZynorRAT’s operation lies its use of Telegram as a stealthy C2 channel. The malware registers with a Telegram bot using a hard-coded token and polls the platform for encrypted commands. This approach provides redundancy and resilience, since Telegram’s distributed infrastructure is difficult for defenders to block completely. It also allows the attacker to blend C2 traffic with legitimate messaging, further thwarting network-based detection strategies.

4. ZynorRAT delivers a full suite of post-compromise capabilities designed to maximize situational awareness and data exfiltration. The discovery module enumerates system information, including OS details, network interfaces, and running processes. File operations enable both targeted exfiltration and broader collection of sensitive documents. The screenshot function captures the user environment at will, while the arbitrary command execution feature grants the operator complete control over the infected host. Each capability is accessible via distinct Telegram commands, enabling precise and adaptive operations.

5. Persistence is achieved through the creation and management of systemd service files on Linux hosts. By installing a custom unit that automatically starts ZynorRAT on boot, the malware ensures its longevity even after system restarts. Although the Windows variant lacks a fully implemented persistence mechanism, its development roadmap suggests that registry run keys or scheduled tasks will be incorporated in future iterations. This evolution underscores the author’s commitment to expanding the RAT’s reliability and stealth across environments.

6. Evasion and anti-analysis features form a key component of ZynorRAT’s design philosophy. The malware incorporates simple sandbox checks, such as verifying system uptime and user interaction metrics, to avoid execution in virtualized research environments. Additionally, the Go compiler’s ability to produce stripped binaries hampers static analysis by eliminating symbol tables and debug information. The author’s ongoing efforts to refine detection avoidance indicate a persistent cat-and-mouse dynamic between ZynorRAT and security vendors.

7. From the threat intelligence perspective, monitoring for unusual Telegram bot tokens and anomalous service unit files on Linux systems can yield early indicators of compromise. Network defenders should implement strict egress filtering to limit outbound connections to known and approved services. Endpoint security solutions capable of behavioral monitoring will be critical in detecting the file exfiltration and command execution patterns exhibited by ZynorRAT. Regular threat hunting exercises that focus on Go-based executables and their unique footprints can further reduce dwell time.

8. The appearance of ZynorRAT underscores broader trends in the threat landscape, where adversaries leverage modern development frameworks to accelerate malware creation and obfuscation. As RATs evolve to target both Linux and Windows platforms, organizations must adopt a cross-platform defense posture that includes comprehensive logging, network segmentation, and timely patch management. Collaborative threat intelligence sharing can facilitate rapid detection of new toolsets like ZynorRAT and support coordinated response efforts.

9. In summary, ZynorRAT represents a significant step forward in RAT capabilities, combining a Go-based architecture with Telegram-driven C2, robust feature sets, and persistence mechanisms on Linux. While the Windows version remains under development, its trajectory points toward full feature parity. By understanding ZynorRAT’s technical underpinnings and leveraging targeted detection strategies, security teams can mitigate its impact and stay ahead of this evolving threat.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT