← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
XWorm V6.0 Multi-Stage Campaign - backupallfresh2030.
WHITE PetrP.73 2026-04-26 Modified: 2026-04-26
17
IOCs
MEDIUM VOLUME
A cybercrime campaign revolving around the XWorm V6.0 Remote Access Trojan (RAT) is being actively conducted by a Turkish-origin threat actor under the alias flexhere687-art. This operation employs a multi-layered delivery strategy that leverages platforms like Google Blogger, Filemail, and GitHub for distributing malicious payloads. The campaign began on March 22, 2026, and is primarily aimed at English-speaking victims, utilizing social engineering tactics such as lures involving tax documents, invoices, and shipping notifications.
searchappdatareportfileblog idsioc summarycnamepayload zipgithub payloadsha256 filenamewin64
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (9 / 17 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 a32a687c22c7c8a2466bf4f84cd7faab3f27a3f03c8ac507d87d542966675aa9 2026-04-26
FileHash-SHA256 0794add65a271388acc6ab87a0dc2fe47373b40921f22dec12c02f74fbe6b154 2026-04-26
FileHash-SHA256 333aae0b09f9a443c3fd9b381f04f684e87aa6ad8fc55f8ac3293e8df80b45d5 2026-04-26
FileHash-SHA256 687f0be5399d54a1b841fdae68c75d2e46dd12f1c76f14687da58222191bbb08 2026-04-26
FileHash-SHA256 864eedb88690d3a8479f9deb175e8cd8762b73459c5944684cc05055d14fde27 2026-04-26
FileHash-SHA256 8d82e3757e9db0fc247350ab3140a21badcf8d6c60dfe79200d7d1e2a93dba14 2026-04-26
FileHash-SHA256 a864e410c00b15f65d31ebfeb96b061dbba7ca0615063d9ab59ef8b6b593d8b2 2026-04-26
FileHash-SHA256 c6c0e723cfc8bc80ec71b0f02627cf3030c27f6aa209b23cbd94d041eab64384 2026-04-26
FileHash-SHA256 d00810850aade1b7624660fedcd4753fea29a9dfe4bebbf4afe933d3aa981b93 2026-04-26
References (1)
↗ https://intel.breakglass.tech/post/xworm-backupallfresh