Saturday, February 8, 2025
Homecyber securityWeaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices

Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices

Published on

SIEM as a Service

Follow Us on Google News

A recent cybersecurity attack involving a Trojanized version of the XWorm Remote Access Trojan (RAT) builder has compromised over 18,000 devices worldwide.

This sophisticated malware, primarily distributed via GitHub repositories, Telegram channels, and other platforms, has targeted cybersecurity novices, also known as “script kiddies,” who unknowingly downloaded malicious tools.

Trojanized XWorm RAT Builder Exploits Over 18,000 Devices Globally

The malware has infiltrated devices in Russia, the United States, India, Ukraine, and Turkey, with the primary goal of exfiltrating sensitive data and maintaining long-term control over infected machines.

Using Telegram as its command-and-control (C&C) infrastructure, the malware provides attackers with the ability to exfiltrate browser credentials, Discord tokens, system information, and more.

Weaponised XWorm RAT
Telegram channel milleniumrat

In addition, it employs advanced virtualization checks to evade detection in virtualized environments and manipulates Windows Registry entries for persistence.

Its capabilities extend to issuing malicious commands, including encrypting files, stealing data, and even invoking a “Blue Screen of Death” (BSOD) on victim systems.

Disruption Efforts Leverage Malware’s Own Kill Switch

Researchers investigating the malware successfully leveraged its built-in uninstall command to neutralize the botnet controlling thousands of infected machines.

By exploiting Telegram communications, they sent uninstall commands en masse to active devices.

However, this approach was constrained by certain limitations, including offline machines and Telegram’s rate-limiting functionalities.

Machines not online at the time of the command burst remain infected, highlighting the challenges in fully eradicating such a widespread malware campaign.

The malware’s architecture revealed hardcoded Telegram bot IDs and tokens, which were instrumental in its operation.

Weaponised XWorm RAT
Threat actor uploading the chk1.rdp file on an infected device

Data analysis showed that over 1 GB of browser credentials and thousands of screenshots and Discord tokens had been exfiltrated.

Attribution efforts traced the threat actors to aliases such as “@shinyenigma” and “@milleniumrat,” linked to GitHub accounts and a ProtonMail address.

Experts at CloudSek emphasize the importance of proactive defense measures to mitigate future attacks of this scale.

Deploying Endpoint Detection and Response (EDR) solutions and monitoring network traffic for communication with malicious C&C servers are critical first steps.

Organizations are also advised to block known Indicators of Compromise (IoCs), such as infected GitHub repositories and Telegram channels, while enforcing stricter application whitelisting policies.

Educating employees about the risks of unauthorized downloads and malicious tools is another vital mitigation strategy.

Additionally, removing persistent malware requires deep system scans alongside manual cleanup of registry entries and startup scripts.

Collaborative efforts with law enforcement and platform providers like GitHub and Telegram are essential to dismantling malicious infrastructure and holding threat actors accountable.

The Trojanized XWorm RAT builder demonstrates the escalating sophistication of modern malware campaigns, emphasizing the need for continuous vigilance, advanced cybersecurity tools, and proactive education.

By targeting inexperienced users with malicious tools disguised as helpful utilities, attackers capitalized on trust to initiate widespread breaches.

Moving forward, concerted efforts in threat intelligence sharing, rapid response, and robust system security will be paramount in combating such advanced threats.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...