Cybersecurity firm CloudSEK has uncovered a sophisticated cyber-attack campaign targeting amateur hackers through a compromised version of the XWorm RAT builder. The operation has successfully infected over 18,459 devices across multiple countries, with the highest concentration of victims in Russia, the United States, India, Ukraine, and Turkey.
Distribution Strategy and Infection Mechanics
The threat actors have employed a multi-channel distribution approach, leveraging popular platforms including GitHub repositories, file-sharing services, Telegram channels, and YouTube. The malicious builder was marketed as a free alternative to its paid counterpart, specifically targeting inexperienced hackers known as “script kiddies” who frequently seek free hacking tools.
Advanced Technical Capabilities
The modified XWorm RAT builder incorporates sophisticated anti-detection mechanisms and persistence techniques. Upon execution, the malware performs environment checks to detect virtual machines and, following successful system verification, establishes persistence through Windows Registry modifications. Each compromised system is automatically registered with the command-and-control server via Telegram using pre-configured identifiers.
Comprehensive Malware Functionality
The backdoor implementation supports an extensive set of 56 distinct commands, enabling comprehensive system compromise. Its capabilities include the theft of Discord tokens, system information extraction, and geolocation data collection. CloudSEK’s analysis reveals that the malware operators have successfully exfiltrated data from approximately 11% of infected systems, primarily focusing on screen capture and browser data theft.
Mitigation Efforts and Challenges
CloudSEK researchers initiated containment measures by attempting to deactivate the malicious network through the malware’s built-in removal mechanism and systematic enumeration of known infected device identifiers. Despite partial success in disruption efforts, a significant number of systems remain compromised due to technical limitations and Telegram’s operational characteristics.
This incident represents a growing trend in “hacker-on-hacker” attacks within the cybercrime ecosystem, highlighting the critical importance of fundamental security practices. Security professionals emphasize the necessity of thorough validation of security tools and stress the importance of conducting testing exclusively within isolated environments. The campaign serves as a stark reminder that even those attempting to breach systems can become victims themselves, underscoring the perpetual nature of cyber threats and the importance of maintaining robust security practices regardless of technical expertise.
