Hackread reports that more than 18,459 devices around the world had sensitive data, including Discord tokens, browser credentials, and system details, stolen in intrusions involving script kiddie exploitation through a trojanized XWorm RAT builder.
CloudSEK reports that amateur threat actors have been targeted by the attacker using the "@shinyenigma" and "milleniumrat" aliases with the altered XWorm RAT builder, which exfiltrates data via Telegram bot tokens and API calls, and also enables registry modification and virtualization checks.
"This builder provides attackers with a streamlined tool to deploy and operate a highly-capable RAT, which features advanced capabilities like system reconnaissance, data exfiltration, and command execution," said the report. The researchers also noted that offline devices and rate limiters employed by Telegram hindered the total disruption of the malware using a kill switch.
This news comes after XWorm was reported by Ukraine's State Service of Special Communications and Information Protection to have been leveraged by Russian hackers in Ukraine-targeted attacks during the first six months of 2024.
