Cybersecurity researchers have spotted a Trojanized version of the XWorm Remote Access Trojan (RAT) builder, which targets specially script kiddies.
Distributed primarily via a GitHub repository and file-sharing services, the malware has managed to infiltrate over 18,000 devices globally. Once inside, it exfiltrates sensitive data, steals browser credentials, Discord tokens, Telegram data, and system information from compromised machines.
According to security researchers at CloudSEK, the malicious code has been particularly effective at gaining control over infected systems, enabling threat actors to issue a range of commands to remotely control the devices. The commands include sophisticated actions such as registry modifications, virtualization checks, and a host of other powerful functions that allow for complete system takeovers.
The malware, which has so far targeted devices in countries like Russia, the United States, India, Ukraine, and Turkey, operates like a botnet. It listens for commands sent via the Telegram API, receiving instructions directly from the attackers.
Of the 18,459 devices compromised, around 2,068 machines have had their browser credentials stolen, the researchers noted.
CloudSEK also discovered a “kill switch” feature embedded within the malware. This kill switch is activated through specific messages sent via Telegram, allowing the threat actors to halt the malware's operations or remove it from infected machines. The /uninstall command, which had been previously used by the attackers, works by removing the malware from a compromised system using its unique machine ID. The researchers said they used this kill switch to disrupt the botnet infrastructure.
