
In total, 18,459 devices worldwide were affected by such attacks; most of them are located in Russia, USA, India, Ukraine, and Turkey.

“A trojanized version of the XWorm RAT builder has been weaponized and propagated, – CloudSEK specialists say. – It is targeted specially towards script kiddies who are new to cybersecurity and directly download and use tools mentioned in various tutorials thus showing that there is no honor among thieves”.
The malware has a ‘switch’ that has already been activated to uninstall it from infected computers. However, due to certain restrictions, many systems remain compromised.
The infected builder is propagated in a variety of ways, including GitHub repositories, file sharing platforms, Telegram channels, YouTube videos, and various websites. All these sources advertise XWorm RAT as a free hacker tool.
However, in reality, the builder contains malware that checks the Windows registry for Virtualization and stops working if the result is positive. If the host meets the infection criteria, the malware makes the required changes in the registry to gain a foothold in the system. Each infected PC is registered on the Telegram control server using a hardcoded identifier and a Telegram bot token.
Then the malware steals Discord tokens, system info, and location data (based on the IP address) from the unfortunate hacker’s computer and transmits them to the attackers’ server. After that, the malware waits for further commands from its operators.
Overall, the backdoor supports 56 commands, including:
/machine_id*browsers – grab browser data;
/machine_id*keylogger – get user keylogs;
/machine_id*desktop – grab a screenshot твы;
/machine_id*encrypt*
/machine_id*processkill*
/machine_id*upload*s
t work if the file is too big); and
/machine_id*uninstall – uninstall RAT from victim`s PC.

According to CloudSEK, the malware operators have stolen data from some 11% of infected devices: mostly, by taking screenshots and intercepting browser information.
CloudSEK specialists tried to destroy this botnet using hardcoded API tokens and its built-in ‘kill switch’ whose purpose is to remove the malware from infected devices. To do this, they sent the uninstall command to all known clients using IDs of infected machines extracted from Telegram logs. The researchers also brute-forced IDs from 1 to 9999 since the attackers could employ a simple numeric pattern.

This measure made it possible to remove the backdoor from many infected systems, but computers that were offline when the command was sent remained compromised. In addition, some malware uninstall commands could be lost in transit due to Telegram’s messaging restrictions.
CloudSEK experts emphasize that hackers hack other hackers on a regular basis. Therefore, you should never trust unsigned software, especially distributed by cybercriminals; while operations involving malware builders should be performed only in test and analytical environments.

2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →