ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT

ZynorRAT is a recently discovered Go-based Remote Access Trojan (RAT) identified by the Sysdig Threat Research Team, designed to operate on both Linux and Windows environments. This malware is notable for its lack of similarity to existing malware families and utilizes Telegram for its command and control (C2) operations, allowing the author to manage and automate actions easily. ZynorRAT's functionalities include file exfiltration, system reconnaissance, screenshot capture, persistence through systemd services, and arbitrary command execution, with its development traced back to a likely Turkish origin. The malware first appeared on VirusTotal in July 2025, with its detection rate decreasing over time, suggesting ongoing refinements to evade detection. Although in its early development stages, ZynorRAT is predicted to eventually be sold on underground markets. The analysis highlights the importance of runtime threat detection as a key defense strategy against evolving threats like ZynorRAT, especially as Linux systems face increasing attention from threat actors.