Hackread reports that more than 18,459 devices around the world had sensitive data, including Discord tokens, browser credentials, and system details, stolen in intrusions involving script kiddie exploitation through a trojanized XWorm RAT builder.
Amateur threat actors have been targeted by the attacker using the "@shinyenigma" and "milleniumrat" aliases with the altered XWorm RAT builder, which not only exfiltrates data via Telegram bot tokens and API calls but also enables registry modification and virtualization checks, according to an analysis from CloudSEK. "This builder provides attackers with a streamlined tool to deploy and operate a highly capable RAT, which features advanced capabilities like system reconnaissance, data exfiltration, and command execution," said the report, which also noted that offline devices and rate limiters employed by Telegram hindered the total disruption of the malware using a kill switch. Such findings come after XWorm was reported by Ukraine's State Service of Special Communications and Information Protection to have been leveraged by Russian hackers in Ukraine-targeted attacks during the first six months of 2024.