Hacker Deceives 18,000 Script Kiddies with Fake Malware Builder
Blog post from SSOJet
CloudSEK security researchers discovered a malware campaign where a fake XWorm RAT builder infected 18,459 devices, primarily targeting novice hackers, or "script kiddies," in countries such as Russia, the United States, India, Ukraine, and Turkey. The malware, disguised as a tool for creating remote access trojans, was distributed through platforms like GitHub, Telegram, and YouTube, fooling users into downloading it under the pretense of free access to hacking tools. Once installed, the malware checked for virtualized environments and, if suitable, modified the Windows Registry for persistence, registered the infected system to a Telegram-based command and control server, and exfiltrated data such as Discord tokens and system information. The tool executes 56 commands, enabling dangerous actions like stealing browser data, recording keystrokes, capturing screens, encrypting files, and terminating processes, including security software. Although CloudSEK researchers managed to disrupt the botnet by using hard-coded API tokens and a kill switch to uninstall the malware from many devices, some remained compromised due to being offline during the operation or rate limiting on Telegram. The incident highlights the risks of using unsigned software and emphasizes the importance of implementing security measures such as Single Sign-On (SSO) and Multi-Factor Authentication (MFA) to protect organizational data.
No tracked trend matches for this post yet.