← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
XWorm V6.0 Multi-Stage Campaign - backupallfresh2030.
WHITE PetrP.73 2026-04-26 Modified: 2026-04-26
17
IOCs
MEDIUM VOLUME
A cybercrime campaign revolving around the XWorm V6.0 Remote Access Trojan (RAT) is being actively conducted by a Turkish-origin threat actor under the alias flexhere687-art. This operation employs a multi-layered delivery strategy that leverages platforms like Google Blogger, Filemail, and GitHub for distributing malicious payloads. The campaign began on March 22, 2026, and is primarily aimed at English-speaking victims, utilizing social engineering tactics such as lures involving tax documents, invoices, and shipping notifications.
searchappdatareportfileblog idsioc summarycnamepayload zipgithub payloadsha256 filenamewin64
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (3 / 17 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 e1230ff1362235ec692b7f369539b1f875769ba4 SHA1 of a32a687c22c7c8a2466bf4f84cd7faab3f27a3f03c8ac507d87d542966675aa9 2026-04-26
FileHash-SHA1 282770c4df305faac202775a414df084c2bbbb62 SHA1 of c6c0e723cfc8bc80ec71b0f02627cf3030c27f6aa209b23cbd94d041eab64384 2026-04-26
FileHash-SHA1 d8f928eebed5f467f6ebf4d7576bcaf5faf638de SHA1 of 8d82e3757e9db0fc247350ab3140a21badcf8d6c60dfe79200d7d1e2a93dba14 2026-04-26
References (1)
↗ https://intel.breakglass.tech/post/xworm-backupallfresh