← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
XWorm V6.0 Multi-Stage Campaign - backupallfresh2030.
WHITE PetrP.73 2026-04-26 Modified: 2026-04-26
17
IOCs
MEDIUM VOLUME
A cybercrime campaign revolving around the XWorm V6.0 Remote Access Trojan (RAT) is being actively conducted by a Turkish-origin threat actor under the alias flexhere687-art. This operation employs a multi-layered delivery strategy that leverages platforms like Google Blogger, Filemail, and GitHub for distributing malicious payloads. The campaign began on March 22, 2026, and is primarily aimed at English-speaking victims, utilizing social engineering tactics such as lures involving tax documents, invoices, and shipping notifications.
searchappdatareportfileblog idsioc summarycnamepayload zipgithub payloadsha256 filenamewin64
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (4 / 17 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 4fb1d24441fab021bde64dde9b379631 MD5 of a32a687c22c7c8a2466bf4f84cd7faab3f27a3f03c8ac507d87d542966675aa9 2026-04-26
FileHash-MD5 1570fbfede2b241d1ac65d777fc0f514 MD5 of c6c0e723cfc8bc80ec71b0f02627cf3030c27f6aa209b23cbd94d041eab64384 2026-04-26
FileHash-MD5 781f4d43b2bbe30677f88b32fbf8b3ec MD5 of 8d82e3757e9db0fc247350ab3140a21badcf8d6c60dfe79200d7d1e2a93dba14 2026-04-26
FileHash-MD5 f34d5f2d4577ed6d9ceec516c1f5a744 2026-04-26
References (1)
↗ https://intel.breakglass.tech/post/xworm-backupallfresh