ZynorRAT Exploits Windows and Linux Systems to Gain Remote Access

During a recent threat hunting exercise, the Sysdig Threat Research Team (TRT) identified a new sample dubbed ZynorRAT.

This Go-based Remote Access Trojan (RAT) delivers a comprehensive suite of custom command-and-control (C2) capabilities for both Linux and Windows systems.

First uploaded to VirusTotal on July 8, 2025, ZynorRAT exhibits no significant overlap with known malware families, and multiple reuploads demonstrate the developer’s ongoing efforts to reduce its detection rate.

Leveraging Telegram as its C2 backbone, the malware’s streamlined management and automation suggest a planned transition to underground sales.

Based on analysis of Telegram channels, network logs, reverse-engineered strings, and VirusTotal telemetry, TRT attributes ZynorRAT’s origin to a Turkish developer.

ZynorRAT’s debut on VirusTotal under the filename “zynor” yielded detections by 22 of 66 security vendors.

A subsequent upload two days later saw detections drop to 16 of 66, underscoring active refinement by its ...