ZynorRAT Attacking Windows and Linux Systems to Gain Remote Access

A sophisticated new remote access trojan named ZynorRAT has emerged as a cross-platform threat, targeting both Windows and Linux systems through an innovative Telegram-based command and control infrastructure.

First discovered in July 2025, this Go-compiled malware represents a significant evolution in remote access capabilities, combining traditional RAT functionality with modern communication channels to evade detection and maintain persistent access to compromised systems.

The malware demonstrates remarkable versatility in its attack methodology, utilizing Telegram bots as the primary communication vector between infected machines and threat actors.

This approach allows attackers to issue commands, exfiltrate data, and monitor victim systems through encrypted messaging channels that blend seamlessly with legitimate traffic.

The use of popular messaging platforms for malicious purposes reflects the evolving landscape of cyber threats, where traditional network monitoring may fail to detect suspicious communications.

ZynorRAT’s multi-platform design enables threat actors to compromise diverse computing environments, from enterprise Linux servers to Windows workstations, creating a unified attack surface across heterogeneous networks.

Sysdig researchers identified the malware during routine threat hunting exercises, noting its unique implementation patterns and cross-platform compatibility that distinguish it from existing RAT families.

The malware’s discovery timeline reveals ongoing development efforts, with multiple samples uploaded to VirusTotal showing decreasing detection rates, suggesting active evasion improvements by its creators.

Intelligence gathered from monitored Telegram channels indicates the malware is likely developed by Turkish-speaking actors, with evidence pointing to a single developer known by the handle “halil” who may be preparing the tool for commercial distribution in underground markets.

Advanced Persistence and Command Execution Mechanisms

ZynorRAT implements sophisticated persistence techniques that vary by target platform, demonstrating the developer’s understanding of system administration practices across different operating systems.

On Linux systems, the malware exploits systemd user services through a carefully crafted service definition file placed at ~/.config/systemd/user/system-audio-manager[.]service.

This approach leverages user-specific service management capabilities that often escape detection by traditional security monitoring tools.

[Unit]
Description=System Audio Core Service
After=network.target
[Service]
ExecStart=/home/user/.local/bin/audio
Restart=always
RestartSec=10
[Install]
WantedBy=default.target

The persistence mechanism automatically restarts the malware process every 10 seconds if terminated, ensuring continuous access to compromised systems.

Command execution capabilities extend beyond simple shell access, incorporating file system enumeration through /fs_list commands, process management via /proc_list and /proc_kill functions, and comprehensive system profiling through the /metrics command that gathers hostname, user information, and external IP addresses by querying api.ipify.org.

These capabilities transform infected machines into comprehensive intelligence gathering platforms, providing attackers with detailed environmental awareness necessary for lateral movement and data exfiltration operations.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post ZynorRAT Attacking Windows and Linux Systems to Gain Remote Access appeared first on Cyber Security News.