ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT

Sept. 10, 2025, 8:24 a.m.

Description

ZynorRAT is a newly discovered Go-based Remote Access Trojan that provides a full suite of command and control capabilities for Linux and Windows systems. It was first identified in July 2025 and is believed to be of Turkish origin. The malware uses Telegram as its C2 infrastructure and offers features such as file exfiltration, system enumeration, screenshot capture, persistence through systemd services, and arbitrary command execution. The Linux version is fully functional, while the Windows version appears to be in early development. The malware's author seems to be actively working on improving its detection avoidance. ZynorRAT's capabilities include discovery, exfiltration, persistence, and remote code execution on victim machines.

External References

https://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat
https://otx.alienvault.com/pulse/68c12ec5eb851e4417b21f49
Tags
linux
windows
c2
telegram
remote access trojan
go-based
2025-09-10
zynorrat
turkish

Date

  • Created: Sept. 10, 2025, 7:54 a.m.
  • Published: Sept. 10, 2025, 7:54 a.m.
  • Modified: Sept. 10, 2025, 8:24 a.m.

Indicators

  • f9eb2a54e500b3ce42950fb75af30955180360c978c00d081ea561c86e54262d
  • bceccc566fe3ae3675f7e20100f979eaf2053d9a4f3a3619a550a496a4268ef5
  • c890c6e6b7cc6984cd9d9061d285d814841e0b8136286e6fd943013260eb8461
  • a6c450f9abff8a22445ba539c21b24508dd326522df525977e14ec17e11f7d65
  • 8b09ba6e006718371486b3655588b438ade953beecf221af38160cbe6fedd40a
  • 4cd270b49c8d5c31560ef94dc0bee2c7927d6f3e77173f660e2f3106ae7131c3
  • 48c2a8453feea72f8d9bfb9c2731d811e7c300f3e1935bddd7188324aab7d30d
  • 47338da15a35c49bcd3989125df5b082eef64ba646bb7a2db1565bb413b69323
  • 237a40e522f2f1e6c71415997766b4b23f1526e2f141d68ff334de3ff5b0c89f
  • 037e5fe028a60604523b840794d06c8f70a9c523a832a97ecaaccd9f419e364a
  • 93.216.69.15
  • 79.104.209.92
  • 87.166.58.36
  • 79.104.209.84
  • 79.104.209.186
  • 79.104.209.215
  • 77.37.103.74
  • 64.124.77.153
  • 217.131.107.38
  • 24.99.144.70
  • 213.33.190.152
  • 213.33.190.139
  • 213.33.190.106
  • 198.44.129.137
  • 195.68.142.8
  • 195.68.142.27
  • 195.239.51.34
  • 194.154.78.215
  • 194.154.78.212
  • 194.154.78.207
  • 194.154.78.146
  • 194.154.78.140
  • 194.154.78.108
  • 185.93.40.66
  • 185.171.76.209
  • 178.244.44.146
  • 176.88.126.219
  • 176.238.224.71
  • 140.228.21.191
  • 136.144.33.66
  • 79.104.209.144
  • 213.33.190.191
  • 136.144.33.64
  • 102.129.152.199
  • 199.203.206.147
  • 185.244.192.175
  • 154.61.71.50
  • network.target
Download all indicators here!

Attack Patterns

  • ZynorRAT