FlagThis - #cyberthreat

The LockBit ransomware group has targeted newly appointed FBI Director Kash Patel with an alleged "birthday gift" consisting of leaked classified documents. LockBitSupp, the group's alleged leader, posted a message on February 25, 2025, mocking Patel and claiming the group possesses sensitive data that could "destroy" the FBI. This incident raises serious cybersecurity concerns about potential data breaches targeting high-profile individuals and agencies.

The post, found on LockBit's dark leak blog, describes an "archive of classified information" containing over 250 folders of materials dating back to May 29, 2024. This stolen data is presented as a "guide, roadmap, and some friendly advice" to the new FBI Director. The ransomware cartel's actions represent a bold threat, highlighting the increasing sophistication and audacity of cybercriminals targeting government entities and their leadership.


References :

• securityaffairs.com: LockBit taunts FBI Director Kash Patel with alleged “Classifiedâ€� leak threat
• The420.in: LockBit Targets FBI Director with Alleged Classified Leak
• iHLS: In a chilling message posted on February 25, 2025, the alleged leader of the notorious LockBit ransomware group, LockBitSupp, issued a disturbing “birthday giftâ€� to Kash Patel, the newly appointed Director of the FBI.

Classification:

• HashTags: #LockBit #KashPatel #DataLeak
• Company: FBI
• Target: Kash Patel
• Attacker: LockBitSupp
• Feature: Data Leak
• Malware: LockBit
• Type: DataBreach
• Severity: Major

A sophisticated cyberattack has successfully targeted low-skilled hackers, often referred to as "script kiddies," by using a modified version of the XWorm RAT builder. This fake builder, disguised as a tool for penetration testing, secretly infects the user's systems with a backdoor. This allowed the attacker to compromise over 18,000 devices worldwide. The malware was distributed via various channels including file-sharing services, Github repositories, Telegram channels, and even Youtube. Once installed, the malicious software exfiltrated sensitive data such as browser credentials, Discord tokens, Telegram data, and system information.

The campaign highlights the risks faced even by those attempting to engage in hacking activities. Threat actors, using aliases such as “@shinyenigma” and “@milleniumrat", have taken advantage of the eagerness of these individuals to download and utilize tools from online tutorials. The infected machines are located in Russia, the United States, India, Ukraine, and Turkey. The malicious tool utilizes Telegram for its command and control, using bot tokens and Telegram API calls. Security researchers have identified a kill switch to disrupt operations on active devices, though this is limited by offline machines and rate limiting mechanisms.


References :

• www.bleepingcomputer.com: A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers
• bsky.app: Over 18,000 users infected themselves with a backdoor after they downloaded a cracked malware builder
• hackread.com: Hackers Use XWorm RAT to Exploit Script Kiddies, Pwning 18,000 Devices
• www.cloudsek.com: Over 18,000 users infected themselves with a backdoor after they downloaded a cracked malware builder
• Cyber Security News: Weaponized XWorm RAT Builder Targeting Script Kiddies to Extract Sensitive Data
• gbhackers.com: Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices
• cyberpress.org: Weaponized XWorm RAT Builder Targeting Script Kiddies to Extract Sensitive Data
• gbhackers.com: Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices
• www.scworld.com: XWorm RAT builder leveraged for widespread device compromise

Classification:

• HashTags: #MalwareBuilder #ScriptKiddies #CyberAttack
• Company: Script Kiddies
• Target: Script Kiddies
• Product: Fake Malware Builder
• Feature: Backdoor
• Malware: XWorm RAT
• Type: Malware
• Severity: Major