Hacker infects 18,000 "script kiddies" with fake malware builder
A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers.
Security researchers at CloudSEK report that the malware infected 18,459 devices globally, most located in Russia, the United States, India, Ukraine, and Turkey.
"A trojanized version of the XWorm RAT builder has been weaponized and propagated," reads the CloudSEK report.
"It is targeted specially towards script kiddies who are new to cybersecurity and directly download and use tools mentioned in various tutorials thus showing that there is no honour among thieves."
CloudSEK has found the malware included a kill switch that was activated to uninstall the malware from many of the infected machines, but due to practical limitations, some remain compromised.
Fake RAT builder installs malware
The researchers say they recently discovered a Trojanized XWorm RAT builder being distributed through various channels, including GitHub repositories, file hosting platforms, Telegram channels, YouTube videos, and websites.
These sources promoted the RAT builder, stating it would allow other threat actors to utilize the malware without having to pay for it.
However, instead of being an actual builder for the XWorm RAT, it infected the threat actor's devices with the malware.
Once a machine is infected, the XWorm malware checks the Windows Registry for signs it is running on a virtualized environment and stops if the results are positive.
If the host qualifies for infection, the malware performs the required Registry modifications to ensure persistence between system boots.
Every infected system is registered to a Telegram-based command and control (C2) server using a hardcoded Telegram bot ID and token.
The malware also automatically steals Discord tokens, system information, and location data (from IP address), and exfiltrates it to the C2 server. Then, it waits for commands from the operators.
Out of the 56 commands supported in total, the following are particularly dangerous:
- /machine_id*browsers – Steal saved passwords, cookies, and autofill data from web browsers
- /machine_id*keylogger – Record everything the victim types on their computer
- /machine_id*desktop – Capture the victim’s active screen
- /machine_id*encrypt*<password> - Encrypt all files on the system using a provided password
- /machine_id*processkill*<process> - Terminate specific running processes, including security software
- /machine_id*upload*<file> - Exfiltrate specific files from the infected system
- /machine_id*uninstall – Remote the malware from the device
CloudSEK found that the malware operators had exfiltrated data from roughly 11% of the infected devices, mostly taking screenshots of infected devices, as shown below, and stealing browser data.
Disrupting with the kill switch
The CloudSEK researchers disrupted the botnet by utilizing hard-coded API tokens and a built-in kill switch to uninstall the malware from infected devices.
To do this, they sent a mass uninstall command to all listening clients, looping through all known machine IDs they had previously extracted from Telegram logs. They also brute-forced machine IDs from 1 to 9999, assuming a simple numeric pattern.
Although this caused the malware to be removed from many of the infected machines, those not online when the command was issued remain compromised.
Also, Telegram subjects messages to rate limiting, so some of the uninstall commands may have been lost in transit.
Hackers hacking hackers is a common scenario we often see manifesting in the wild.
The takeaway from CloudSEK's findings is never to trust unsigned software, especially those distributed by other cybercriminals, and only install malware builders on testing/analysis environments.
Hackers use Windows RID hijacking to create hidden admin account
Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
CWE-1098 Data Element containing Pointer Item without Proper Copy Control Element
CWE-828 Signal Handler with Functionality that is not Asynchronous-Safe
CWE-1092 Use of Same Invokable Control Element in Multiple Architectural Layers
CWE-598 Use of GET Request Method With Sensitive Query Strings
CWE-826 Premature Release of Resource During Expected Lifetime
Free online web security scanner
