No Honor Among Thieves: Uncovering a Trojanized XWorm RAT Builder Propagated by Threat Actors and Disrupting Its Operations
released on 2025-01-27 @ 02:24:05 PM
A trojanized version of the XWorm RAT builder has been weaponized and propagated, targeting novice cybersecurity enthusiasts. The malware, spread through GitHub, Telegram, and file-sharing platforms, has compromised over 18,459 devices globally. It exfiltrates sensitive data like browser credentials, Discord tokens, and system information, employing advanced techniques such as virtualization checks and registry modifications. The malware uses Telegram as its command-and-control infrastructure, leveraging bot tokens and API calls. Analysis revealed over 1 GB of browser credentials exfiltrated from multiple devices. Researchers identified a "kill switch" feature, which was used to disrupt active devices. Attribution efforts linked the operation to a threat actor using aliases like "@shinyenigma" and "@milleniumrat".