Home / Companies / SSOJet / Blog / Post Details
Content Deep Dive

Hacker Deceives 18,000 Script Kiddies with Fake Malware Builder

Blog post from SSOJet

Post Details
Company
Date Published
Author
Victor Singh
Word Count
589
Company Posts That Month
24
Language
English
Hacker News Points
-
Summary

CloudSEK security researchers discovered a malware campaign where a fake XWorm RAT builder infected 18,459 devices, primarily targeting novice hackers, or "script kiddies," in countries such as Russia, the United States, India, Ukraine, and Turkey. The malware, disguised as a tool for creating remote access trojans, was distributed through platforms like GitHub, Telegram, and YouTube, fooling users into downloading it under the pretense of free access to hacking tools. Once installed, the malware checked for virtualized environments and, if suitable, modified the Windows Registry for persistence, registered the infected system to a Telegram-based command and control server, and exfiltrated data such as Discord tokens and system information. The tool executes 56 commands, enabling dangerous actions like stealing browser data, recording keystrokes, capturing screens, encrypting files, and terminating processes, including security software. Although CloudSEK researchers managed to disrupt the botnet by using hard-coded API tokens and a kill switch to uninstall the malware from many devices, some remained compromised due to being offline during the operation or rate limiting on Telegram. The incident highlights the risks of using unsigned software and emphasizes the importance of implementing security measures such as Single Sign-On (SSO) and Multi-Factor Authentication (MFA) to protect organizational data.

Trends Found in this Post

No tracked trend matches for this post yet.