18,000 script kiddies have been infected with backdoor via XWorm RAT builder

📟 News

Date: 25/01/2025

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies’ systems become infected with a backdoor that steals data and subsequently seizes control over their computers.

In total, 18,459 devices worldwide were affected by such attacks; most of them are located in Russia, USA, India, Ukraine, and Turkey.

“A trojanized version of the XWorm RAT builder has been weaponized and propagated, – CloudSEK specialists say. – It is targeted specially towards script kiddies who are new to cybersecurity and directly download and use tools mentioned in various tutorials thus showing that there is no honor among thieves”.

The malware has a ‘switch’ that has already been activated to uninstall it from infected computers. However, due to certain restrictions, many systems remain compromised.

The infected builder is propagated in a variety of ways, including GitHub repositories, file sharing platforms, Telegram channels, YouTube videos, and various websites. All these sources advertise XWorm RAT as a free hacker tool.

However, in reality, the builder contains malware that checks the Windows registry for Virtualization and stops working if the result is positive. If the host meets the infection criteria, the malware makes the required changes in the registry to gain a foothold in the system. Each infected PC is registered on the Telegram control server using a hardcoded identifier and a Telegram bot token.

Then the malware steals Discord tokens, system info, and location data (based on the IP address) from the unfortunate hacker’s computer and transmits them to the attackers’ server. After that, the malware waits for further commands from its operators.

Overall, the backdoor supports 56 commands, including:

/machine_id*browsers – grab browser data;
/machine_id*keylogger – get user keylogs;
/machine_id*desktop – grab a screenshot твы;
/machine_id*encrypt* – encrypt user files with a given password (must be remembered for decryption);
/machine_id*processkill* – kill a process by name; must not add .exe;
/machine_id*upload* – grab a file from victims PC (wont work if the file is too big); and
/machine_id*uninstall – uninstall RAT from victim`s PC.

Screenshot taken by the malware
Screenshot taken by the malware

According to CloudSEK, the malware operators have stolen data from some 11% of infected devices: mostly, by taking screenshots and intercepting browser information.

CloudSEK specialists tried to destroy this botnet using hardcoded API tokens and its built-in ‘kill switch’ whose purpose is to remove the malware from infected devices. To do this, they sent the uninstall command to all known clients using IDs of infected machines extracted from Telegram logs. The researchers also brute-forced IDs from 1 to 9999 since the attackers could employ a simple numeric pattern.

Uninstall command
Uninstall command

This measure made it possible to remove the backdoor from many infected systems, but computers that were offline when the command was sent remained compromised. In addition, some malware uninstall commands could be lost in transit due to Telegram’s messaging restrictions.

CloudSEK experts emphasize that hackers hack other hackers on a regular basis. Therefore, you should never trust unsigned software, especially distributed by cybercriminals; while operations involving malware builders should be performed only in test and analytical environments.

Related posts:
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack

Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…

Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…

Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024

According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers

Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…

Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched

Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…

Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO

According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…

Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…

Full article →