
A sophisticated cyber operation has successfully infected over 18,000 devices worldwide by targeting inexperienced hackers with a fraudulent malware builder. According to CloudSEK’s security research, the campaign primarily affected systems in Russia, the United States, India, Ukraine, and Turkey.
The attack involved distributing a compromised version of the XWorm RAT builder through popular platforms including GitHub, Telegram, YouTube, and various websites. While advertised as a free malware-building tool, the software actually infected users’ devices with a backdoor trojan.
Technical Analysis:
– The malware performs environment checks to avoid virtual machines
– Establishes persistence through Windows Registry modifications
– Uses Telegram for command and control (C2) operations
– Automatically harvests Discord tokens, system information, and location data
Key Malware Capabilities:
– Browser credential theft
– Keylogging
– Screen capture
– File encryption
– Process termination
– File exfiltration
– Remote uninstallation
Impact and Mitigation:
The attackers successfully extracted data from approximately 11% of infected devices, primarily focusing on screenshots and browser information. CloudSEK researchers later disrupted the operation by activating a built-in kill switch, sending mass uninstall commands to compromised devices.
While many systems were cleaned through this intervention, some devices remain infected due to timing and technical limitations. This incident serves as a stark reminder of the risks associated with using unsigned software, particularly those distributed within cybercriminal circles.