A cybercrime campaign revolving around the XWorm V6.0 Remote Access Trojan (RAT) is being actively conducted by a Turkish-origin threat actor under the alias flexhere687-art. This operation employs a multi-layered delivery strategy that leverages platforms like Google Blogger, Filemail, and GitHub for distributing malicious payloads. The campaign began on March 22, 2026, and is primarily aimed at English-speaking victims, utilizing social engineering tactics such as lures involving tax documents, invoices, and shipping notifications.