In a recent cybersecurity breach, a modified version of the XWorm Remote Access Trojan (RAT) builder has been weaponized and used to target inexperienced cybersecurity enthusiasts, resulting in the compromise of over 18,000 devices worldwide.
Propagated primarily through GitHub, Telegram channels, and file-sharing platforms, the trojanized RAT builder has stolen sensitive data spanning browser credentials, system information, and tokens from applications like Discord and Telegram, while also granting attackers absolute control over infected systems.
Sophisticated Malware Delivery
The trojanized XWorm RAT builder has been distributed through several pathways, including GitHub repositories, file-sharing links, and Telegram forums.
Novice users referred to as “script kiddies” were lured by the tool under the guise of helpful tutorials and tools for penetration testing.
Upon execution, the malware leverages advanced techniques, including registry modifications and virtualization checks, to avoid detection and ensure persistence.
The malware communicates with attackers via a Telegram-based command-and-control (C&C) system.
Hardcoded bot tokens allow the RAT to exfiltrate stolen data, such as browser credentials, Telegram data, and Discord tokens, while also enabling live interaction with infected devices.
To date, over 1 GB of browser credentials has been exfiltrated, with victims spanning countries such as Russia, the United States, India, Ukraine, and Turkey.
Notably, the malware employs the Telegram API for issuing commands, such as retrieving browser history, taking screenshots, capturing user data, and executing commands on victim machines.
According to the CloudSek, the RAT also contains self-propagation mechanisms, modifying registry keys to ensure execution at system startup and targeting offline devices during subsequent infection waves.
Discovery of a Kill Switch
Researchers analyzing the malware’s operation and infrastructure uncovered a built-in “kill switch” that could disrupt its activities.
By exploiting the Telegram-based uninstall command, the researchers initiated efforts to terminate infections on active devices.
This command allowed them to remotely remove the RAT from compromised systems, but the approach faced limitations such as Telegram’s rate-limiting and offline infected devices.
In addition to disruption, attribution efforts linked the operation to aliases like “@shinyenigma” and “@milleniumrat” on GitHub and Telegram, as well as a ProtonMail address.
Testing infrastructure associated with the threat actors included an AWS-hosted RDP file, suggesting their use of cloud-based environments during development and testing.
To counter such advanced threats, cybersecurity professionals recommend several strategies, including deploying Endpoint Detection and Response (EDR) solutions, monitoring for Indicators of Compromise (IoCs), and enhancing employee awareness of phishing and fake RAT tools.
Network administrators should also block access to malicious GitHub repositories and Telegram channels while enforcing strict application whitelisting policies.
Organizations are urged to collaborate with law enforcement and platform providers like Telegram and GitHub to dismantle malicious infrastructure and hold perpetrators accountable.
By leveraging proactive threat intelligence and maintaining robust cybersecurity hygiene, organizations can mitigate risks posed by evolving malware such as the trojanized XWorm RAT.
 builder has been weaponized and used to target inexperienced cybersecurity enthusiasts.){kind=link}