Summary: A threat actor has targeted low-skilled hackers, or “script kiddies,” with a fake malware builder that secretly installs a backdoor to steal data and gain control of their computers. Security researchers from CloudSEK reported that this malware has infected over 18,000 devices globally, primarily in countries like Russia, the U.S., and India. The malware includes a kill switch that has been partially effective in removing the infection from many devices, but some remain compromised.
Threat Actor: Unknown | unknown
Victim: Script Kiddies | script kiddies
Keypoints :
- A Trojanized version of the XWorm RAT builder was distributed through various platforms, claiming to be a legitimate tool.
- The malware checks for virtual environments and modifies the Windows Registry for persistence, while exfiltrating sensitive data to a Telegram-based C2 server.
- CloudSEK successfully disrupted the botnet using a kill switch, but some infected machines remain compromised due to offline status during the command execution.