Karma Strikes: Fake Malware Tool Infects 18,000 Wannabe Hackers

Karma Strikes: Fake Malware Tool Infects 18,000 Wannabe Hackers

Hackers Targeted with Malicious RAT Builder in Large-Scale Deception Campaign

A sophisticated cyber operation has successfully infected over 18,000 devices worldwide by targeting inexperienced hackers with a fraudulent malware builder. According to CloudSEK’s security research, the campaign primarily affected systems in Russia, the United States, India, Ukraine, and Turkey.

The attack involved distributing a compromised version of the XWorm RAT builder through popular platforms including GitHub, Telegram, YouTube, and various websites. While advertised as a free malware-building tool, the software actually infected users’ devices with a backdoor trojan.

Technical Analysis:
– The malware performs environment checks to avoid virtual machines
– Establishes persistence through Windows Registry modifications
– Uses Telegram for command and control (C2) operations
– Automatically harvests Discord tokens, system information, and location data

Key Malware Capabilities:
– Browser credential theft
– Keylogging
– Screen capture
– File encryption
– Process termination
– File exfiltration
– Remote uninstallation

Impact and Mitigation:
The attackers successfully extracted data from approximately 11% of infected devices, primarily focusing on screenshots and browser information. CloudSEK researchers later disrupted the operation by activating a built-in kill switch, sending mass uninstall commands to compromised devices.

While many systems were cleaned through this intervention, some devices remain infected due to timing and technical limitations. This incident serves as a stark reminder of the risks associated with using unsigned software, particularly those distributed within cybercriminal circles.

Share This Article