In a surprising twist within the cybercriminal landscape, hackers have turned the tables on inexperienced individuals in the hacking community, exploiting them with the XWorm Remote Access Trojan (RAT). This scheme has compromised over 18,000 devices globally, leveraging Telegram for command and control operations to exfiltrate sensitive data.
Recent investigations by CloudSEK have unveiled a new malware campaign featuring a Trojanized version of the XWorm RAT builder. This variant has made its way across multiple platforms, including file-sharing services such as Mega and Upload.ee, GitHub repositories like LifelsHex/FastCryptor and FullPenetrationTesting/888-RAT, as well as various Telegram channels and even YouTube. The far-reaching nature of this distribution has resulted in the compromise of more than 18,459 devices worldwide.
The personal data exfiltrated in this operation is extensive, encompassing sensitive information like browser credentials, Discord tokens, Telegram messages, and critical system data from the affected devices. According to CloudSEK’s Threat Intelligence Researcher Vikas Kundu, the builder represents a potent tool for attackers, enabling them to deploy a highly capable RAT equipped with features for system reconnaissance, data extraction, and command execution.
This campaign specifically targeted novice cybercriminals—often referred to as “script kiddies”—by distributing a modified XWorm RAT builder designed for their skill level. Upon successful installation, the malware extracted various pieces of critical information, while also employing sophisticated functionalities such as virtualization checks and registry modifications. Its extensive command and control capability further enhanced its ability to execute commands remotely.
Moreover, the malware’s reliance on Telegram for command and control marks a significant aspect of its functionality. By utilizing bot tokens and Telegram API interactions, it effectively communicates with its operators and streams exfiltrated data back to them. Researchers managed to identify a “kill switch” feature within the malware, enabling them to disrupt active operations. However, challenges remained due to offline machines and Telegram’s built-in rate limiting, hindering any potential for comprehensive mitigation.
The investigation has led experts to associate the threat actor with online aliases “@shinyenigma” and “@milleniumrat,” along with several GitHub accounts and a ProtonMail address linked to the operations. Notably, XWorm’s impact continues to extend beyond this campaign, with its reported use in Russian cyber efforts against Ukraine highlighted by the country’s State Service of Special Communications and Information Protection (SSSCIP) earlier this year.
To fortify defenses against such emerging threats, organizations and individuals alike are urged to implement Endpoint Detection and Response (EDR) solutions to identify anomalous network activities and malware presence. Additionally, applying Intrusion Detection and Prevention Systems (IDPS) can effectively obstruct communications between infected devices and their malign command and control servers. Proactive cybersecurity measures, including blocking access to identified malicious URLs and enforcing application whitelisting protocols, can further diminish the risk of malware infiltration.
RELATED ARTICLES
- P2PInfect: Self-Replicating Worm Hits Redis Instances
- FBI Warns of HiatusRAT Malware Targeting Webcams and DVRs
- Fake 7-Zip Exploit Code Traced to AI-Generated Misinterpretation
- NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT
- Black Basta-Style Attack Hits Inboxes with 1,165 Emails in 90 Minutes
