Press Release Cyber Crime & Forensic Cyber Safety Device & IoT Threat Detection & Defense

18,000+ Devices Compromised: CloudSEK Disrupts Trojanised XWorm RAT Builder

CSA Editorial February 6, 2025

2 minutes read

Think there’s honor among thieves? Think again. CloudSEK researchers have just exposed a trojanized version of the XWorm Remote Access Trojan (RAT) builder, disguised as a legitimate tool and specifically designed to trick aspiring hackers – “script kiddies” – who are just starting out in the cybersecurity world.

This malicious campaign exploits the trust these individuals place in online tutorials and resources, turning their pursuit of knowledge into a major security risk. These unsuspecting users are lured into downloading compromised tools shared via GitHub repositories, file-sharing platforms, Telegram channels, and video tutorials.

This weaponized RAT builder enables attackers to deploy a highly capable Trojan with advanced functionalities, including data exfiltration, system manipulation, and remote control of infected devices. (For More Information, Check Full Report)

CloudSEK’s investigation has revealed that this malware has infected over 18,459 devices globally, with major victims in Russia, the USA, India, Ukraine, and Turkey. It facilitates data theft, including browser credentials, Discord tokens, Telegram information, and system details. Additionally, attackers gain complete control over compromised systems through an array of built-in commands.

The investigation revealed that the malware’s operations are controlled via Telegram bots, which streamline data exfiltration and command issuance.

CloudSEK researchers identified a hidden “kill switch” in the malware, enabling partial disruption of its botnet operations by sending uninstall commands to active infected devices.(For More Information, Check Full Report)

“This shows how cybercriminals are targeting newcomers in cybersecurity. With over 18,000 infections and sensitive data being stolen globally, this is a wake-up call for everyone to be cautious about where they download tools. The way attackers use platforms like Telegram for their operations shows how easily available tools can be misused,” Vikas Kundu, Threat Intelligence Researcher, CloudSEK.

Kundu added that our discovery of the hidden kill switch allowed us to disrupt the botnet’s operations on many devices, but it also highlighted the sophistication of the threat actors behind it. Their ability to manipulate widely used platforms like Telegram for command-and-control operations highlights how quickly cyber threats evolve.

Key findings from CloudSEK’s analysis include:

18,459 devices were compromised globally, with over 1 GB of browser credentials exfiltrated.
Top victim countries: Russia, USA, India, Ukraine, and Turkey.
Data exfiltrated includes browser credentials, 4,991 screenshots, and 2,222 zip files containing sensitive information.
The malware’s “kill switch” feature successfully disrupted operations on active devices.

Threat Actor Attribution

The operation has been linked to threat actors using aliases like “@shinyenigma” and “@milleniumrat” on Telegram. Associated GitHub accounts and a ProtonMail address (“frutosall@proton.me”) further substantiate their involvement in distributing the compromised builder.

Mitigation and Recommendations

CloudSEK recommends deploying advanced Endpoint Detection and Response (EDR) systems to identify unauthorized activity, monitoring network traffic to block communication with malicious Telegram bots, and isolating infected devices to contain the spread. It is crucial to educate users on the dangers of unverified software and enforce robust application whitelisting policies.

Collaborative action with law enforcement and platforms like GitHub and Telegram is vital for dismantling such operations.