A cunning threat actor has devised an ingenious scheme to target inexperienced hackers, or “script kiddies,” by distributing a trojanized version of the XWorm Remote Access Trojan (RAT) builder. Security researchers at CloudSEK have uncovered a widespread cyber operation that has infected 18,459 devices across multiple countries, including Russia, the United States, India, Ukraine, and Turkey. The Malware attack leverages the naivety of novice cybercriminals who often download tools without careful verification.
Distributed through various channels including GitHub repositories, file hosting platforms, Telegram channels, YouTube videos, and websites, the fake RAT builder promised free malware creation capabilities. Instead, it served as a Trojan horse, infecting the very threat actors attempting to use it.
How This Malware Uses Telegram for Malicious Activities?
Once a device becomes infected, the XWorm malware employs sophisticated techniques to ensure successful infiltration. It first checks the Windows Registry to detect virtualized environments, halting infection if such conditions are detected. For qualifying hosts, the malware modifies the Registry to maintain persistence across system reboots.

The malware’s command and control (C2) infrastructure is uniquely implemented through a Telegram-based server, using a hardcoded Telegram bot ID and token. Upon infection, it automatically harvests sensitive information including Discord tokens, system details, and location data derived from IP addresses.
Extensive Command & Control Capabilities
The malware’s capabilities are particularly alarming, supporting 56 different commands that provide extensive control to operators. Some of the most dangerous commands include:
- /machine_id*browsers – Steal saved passwords, cookies, and autofill data from web browsers
- /machine_id*keylogger – Record everything the victim types on their computer
- /machine_id*desktop – Capture the victim’s active screen
- /machine_id*encrypt*<password> – Encrypt all files on the system using a provided password
- /machine_id*processkill*<process> – Terminate specific running processes, including security software
- /machine_id*upload*<file> – Exfiltrate specific files from the infected system
- /machine_id*uninstall – Remove the malware from the device
CloudSEK researchers discovered that approximately 11% of infected devices had their data already exfiltrated, primarily through screenshots and browser data theft.
Researchers Exploit Kill Switch in Counteroffensive of Malware
In a remarkable counteroffensive, the researchers disrupted the botnet by exploiting the malware’s own kill switch. They sent mass uninstall commands using hardcoded API tokens and extracted machine IDs from Telegram logs. They even brute-forced additional machine IDs from 1 to 9999, assuming a simple numeric pattern.

While this intervention removed the malware from many infected machines, some systems remained compromised. Telegram’s message rate limiting and the inability to reach offline devices meant not all systems could be cleansed simultaneously.
The incident underscores critical cybersecurity lessons. “There is no honor among thieves,” the CloudSEK report notes, highlighting how threat actors can become victims of their own ecosystem’s predatory nature. The key takeaway is paramount: never trust unsigned software, especially those distributed through underground cybercriminal channels.
The Dangers of “Convenient” Tools in the Cybersecurity Landscape
The cybersecurity world is rife with examples of seemingly benign tools turning into major security threats. This case serves as a stark reminder for both aspiring professionals and potential threat actors alike.
The allure of “convenient” tools can be strong. They promise to streamline tasks, automate processes, and increase efficiency. However, these tools often come from untrusted sources, harboring malicious code or backdoors.
Aspiring cybersecurity professionals must prioritize rigorous security practices. Always verify software sources, utilize isolated testing environments, and thoroughly analyze any tools before deployment. This proactive approach helps mitigate the risk of introducing vulnerabilities into systems.
For potential threat actors, this case highlights the importance of understanding the target environment. Exploiting “convenient” tools can be a highly effective attack vector, but it also carries inherent risks. Misuse of such tools can leave digital fingerprints, making it easier for security teams to trace the attack back to the source.
Ultimately, the complex landscape of cyber threats demands vigilance and a deep understanding of the risks associated with seemingly convenient tools.