Today’s Topics:
- 18,000 Script Kiddies Fall Victim to Trojanized Malware Builder
- Exchange Server Warning: Certificate Deprecation Leaves Older Systems Exposed
- How can Netizen help?
18,000 Script Kiddies Fall Victim to Trojanized Malware Builder

A threat actor has exploited low-skilled hackers, commonly known as “script kiddies,” by distributing a fake malware builder that installs a backdoor to compromise their devices. Security researchers at CloudSEK report that the campaign infected 18,459 devices across the globe, with significant activity in Russia, the United States, India, Ukraine, and Turkey.
The attack revolves around a trojanized version of the XWorm Remote Access Trojan (RAT) builder. Promoted as a free tool for generating XWorm malware, the fake builder was shared on platforms like GitHub, Telegram, file-sharing websites, and YouTube tutorials. These sources targeted inexperienced cybercriminals seeking free hacking tools, demonstrating yet again that there is no honor among thieves.
Rather than providing a working RAT builder, the fake tool covertly installs malware on the attacker’s device. According to CloudSEK, the malicious campaign is specifically designed to exploit the lack of technical expertise among script kiddies.
Once installed, the malware embeds itself persistently on the victim’s system by modifying the Windows Registry. It registers each infected device with a Telegram-based command-and-control (C2) server, utilizing a hardcoded Telegram bot ID and token for communication.
The malware’s capabilities include:
- Data Theft: Stealing saved passwords, cookies, and autofill data from web browsers.
- Keylogging: Recording keystrokes for credential harvesting.
- Screen Capture: Capturing screenshots of the infected desktop.
- Ransomware Functionality: Encrypting system files with a provided password.
- Process Termination: Killing security processes or other specified tasks.
- File Exfiltration: Uploading specific files from the infected system.
- Self-Uninstallation: The ability to remove itself upon receiving a command.
CloudSEK’s investigation found that approximately 11% of infected devices had their data exfiltrated, including screenshots and stolen browser information.
The malware primarily targets devices in Brazil (65%), followed by smaller shares in Turkey, Argentina, Uzbekistan, Pakistan, and Iraq. The malicious actors leveraged a diverse array of ASN providers and IP addresses, indicating an effort to obscure their origin and avoid detection.
CloudSEK researchers disrupted the botnet using its own infrastructure against it. By leveraging the malware’s hardcoded API tokens and a built-in kill switch, they issued mass uninstall commands to the infected devices.
To reach as many victims as possible, the researchers:
- Extracted known machine IDs from Telegram logs.
- Brute-forced machine IDs within a numeric range.
- Used the Telegram API to send the self-removal command to all infected clients.
While this method successfully removed the malware from numerous devices, some systems remain compromised due to limitations like offline devices and Telegram’s rate-limiting policies.
Exchange Server Warning: Certificate Deprecation Leaves Older Systems Exposed

Microsoft has issued a warning that outdated Exchange servers are no longer able to receive critical emergency mitigation definitions due to the deprecation of an Office Configuration Service (OCS) certificate type. The inability to download these mitigations leaves on-premises Exchange servers vulnerable to high-risk exploits, emphasizing the importance of timely updates.
The Exchange Emergency Mitigation Service (EEMS), introduced in September 2021, provides automated, interim security mitigations for actively exploited vulnerabilities. This service is designed to protect Exchange Server 2016 and 2019 installations by detecting known threats and applying mitigations until official security patches are available.
EEMS operates as a Windows service installed automatically on Exchange servers running the Mailbox role, provided they have deployed the September 2021 or later cumulative updates.
Microsoft’s Exchange Team has confirmed that servers running Exchange versions older than March 2023 are unable to connect to the Office Configuration Service (OCS) and download new mitigations. These outdated systems instead generate errors marked as “MSExchange Mitigation Service.”
The issue stems from the deprecation of an older certificate type used by OCS. While a new certificate has been deployed to address this, only servers updated with cumulative or security updates (CU or SU) newer than March 2023 can utilize the updated certificate and continue receiving emergency mitigations.
Microsoft is urging organizations to update their Exchange servers as soon as possible. Keeping servers up to date ensures they remain protected against new and emerging threats while retaining the ability to download and apply EEMS mitigations.
“It is critical to always keep your servers up to date,” said the Exchange Team. “Running the Exchange Server Health Checker will provide guidance on what actions are needed to secure your environment and re-enable EEMS.”
The EEMS feature was developed in response to attacks like ProxyLogon and ProxyShell, which were exploited in early 2021 by both state-sponsored and financially motivated threat actors before patches were available.
In March 2021, Microsoft observed at least ten hacking groups, including the Chinese state-backed group Hafnium, leveraging ProxyLogon zero-days to breach Exchange servers. The lack of timely mitigations highlighted the need for automated, interim solutions like EEMS.
To ensure Exchange servers remain secure and functional:
- Apply Updates Regularly: Always deploy the latest cumulative and security updates to maintain compatibility with EEMS and other protective measures.
- Run Health Checks: Use the Exchange Server Health Checker to identify outdated configurations and apply recommended fixes.
- Monitor Vulnerabilities: Stay informed about newly discovered exploits and ensure timely patch deployment to mitigate risks.
Organizations relying on on-premises Exchange servers must prioritize regular updates to protect their email workloads from high-risk vulnerabilities. Failure to do so may leave systems exposed to exploits, disrupt automated security mitigations, and compromise critical data.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
