A sophisticated attack campaign have been uncovered recently by the cybersecurity researchers at CloudSEK targeting aspiring hackers, commonly known as “script kiddies.”

The operation involves a trojanized version of the XWorm Remote Access Trojan (RAT) builder, which has been weaponized and propagated through various online channels.

Here the malicious XWorm RAT builder was primarily distributed through GitHub repositories, but also utilized other file-sharing services, Telegram channels, YouTube videos, and hacking forums.

Researchers noted that these platforms advertised the tool as a free version of the XWorm RAT, appealing to inexperienced cybercriminals looking for readily available hacking tools.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

The Attack Vector & Infection

Once installed, the trojanized builder infects the user’s system with the XWorm malware. This RAT is capable of performing a wide array of malicious activities, including:

• Exfiltrating sensitive data such as browser credentials, Discord tokens, and Telegram data
• Capturing screenshots and keystrokes
• Executing remote commands
• Modifying the Windows Registry for persistence
• Launching DDoS attacks
• Encrypting files for ransomware operations

The malware employs advanced evasion techniques, including virtualization checks to avoid detection in sandboxed environments.

XWorm utilizes Telegram as its command-and-control (C2) infrastructure. Each infected system is registered to a Telegram-based C2 server using a hardcoded bot ID and token.

This allows the attackers to issue commands and exfiltrate stolen data through Telegram API calls.

The campaign has successfully compromised over 18,459 devices globally, with the highest number of infections reported in Russia, the United States, India, Ukraine, and Turkey.

Researchers found that the malware has exfiltrated more than 1 GB of browser credentials from multiple devices.

CloudSEK researchers identified a “kill switch” feature within the malware, which they leveraged to disrupt operations on active devices. However, limitations such as offline machines and Telegram’s rate-limiting posed challenges to complete eradication.

The operation has been linked to a threat actor using aliases like “@shinyenigma” and “@milleniumrat.” Associated GitHub accounts and a ProtonMail address have also been identified in connection with the campaign.

Security experts advise against downloading and executing unsigned software, especially those promoted as free hacking tools.

Organizations and individuals should implement robust endpoint detection and response (EDR) solutions, monitor network traffic for suspicious Telegram API calls, and keep systems updated.