
In total, 18,459 devices worldwide were affected by such attacks; most of them are located in Russia, USA, India, Ukraine, and Turkey.

“A trojanized version of the XWorm RAT builder has been weaponized and propagated, – CloudSEK specialists say. – It is targeted specially towards script kiddies who are new to cybersecurity and directly download and use tools mentioned in various tutorials thus showing that there is no honor among thieves”.
The malware has a ‘switch’ that has already been activated to uninstall it from infected computers. However, due to certain restrictions, many systems remain compromised.
The infected builder is propagated in a variety of ways, including GitHub repositories, file sharing platforms, Telegram channels, YouTube videos, and various websites. All these sources advertise XWorm RAT as a free hacker tool.
However, in reality, the builder contains malware that checks the Windows registry for Virtualization and stops working if the result is positive. If the host meets the infection criteria, the malware makes the required changes in the registry to gain a foothold in the system. Each infected PC is registered on the Telegram control server using a hardcoded identifier and a Telegram bot token.
Then the malware steals Discord tokens, system info, and location data (based on the IP address) from the unfortunate hacker’s computer and transmits them to the attackers’ server. After that, the malware waits for further commands from its operators.
Overall, the backdoor supports 56 commands, including:
/machine_id*browsers – grab browser data;
/machine_id*keylogger – get user keylogs;
/machine_id*desktop – grab a screenshot твы;
/machine_id*encrypt*
/machine_id*processkill*
/machine_id*upload*s
t work if the file is too big); and
/machine_id*uninstall – uninstall RAT from victim`s PC.

According to CloudSEK, the malware operators have stolen data from some 11% of infected devices: mostly, by taking screenshots and intercepting browser information.
CloudSEK specialists tried to destroy this botnet using hardcoded API tokens and its built-in ‘kill switch’ whose purpose is to remove the malware from infected devices. To do this, they sent the uninstall command to all known clients using IDs of infected machines extracted from Telegram logs. The researchers also brute-forced IDs from 1 to 9999 since the attackers could employ a simple numeric pattern.

This measure made it possible to remove the backdoor from many infected systems, but computers that were offline when the command was sent remained compromised. In addition, some malware uninstall commands could be lost in transit due to Telegram’s messaging restrictions.
CloudSEK experts emphasize that hackers hack other hackers on a regular basis. Therefore, you should never trust unsigned software, especially distributed by cybercriminals; while operations involving malware builders should be performed only in test and analytical environments.

2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →