Pulse Detail — Threat Intelligence

PULSE NAME

IOC - From PyInstaller to XWorm V7.4: Infection Chain Analysis

WHITE celestre 2026-05-22 Modified: 2026-05-22

IOCs

LOW VOLUME

Point Wild conducted an in-depth analysis of a suspicious PyInstaller-packed Python sample and identified it as a multi-stage malware loader designed to deploy the XWorm Remote Access Trojan (RAT), specifically associated with the XWorm V7.4 campaign. The sample leveraged multiple layers of obfuscation, staged execution and anti-analysis techniques to conceal its true functionality and evade detection by traditional security controls.

localappdata c2 server

Indicators of Compromise (7)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	c7a6f220f2ff7d6718a5b2f0e85f13dd	—	2026-05-22
FileHash-MD5	d4494a5b1430f7c5347408732cdbd668	—	2026-05-22
FileHash-SHA1	b71b64116728b0b7750dc7724933ffab3646de04	SHA1 of d4494a5b1430f7c5347408732cdbd668	2026-05-22
FileHash-SHA1	f253dff01948c778b45aedc2e5654bfc432f8627	SHA1 of c7a6f220f2ff7d6718a5b2f0e85f13dd	2026-05-22
FileHash-SHA256	09c897832cc1b39c71da765f17adbe958551335f18d756905e733a05bfef697c	SHA256 of c7a6f220f2ff7d6718a5b2f0e85f13dd	2026-05-22
FileHash-SHA256	9c30d62858fd5caf297cf503c63eea3b65325f74b972b2b7d523b7eb32c7656d	SHA256 of d4494a5b1430f7c5347408732cdbd668	2026-05-22
IPv4	68.219.64.89	CC=US ASN=AS8075 microsoft corporation	2026-05-22

References (1)

↗ https://www.pointwild.com/threat-intelligence/from-pyinstaller-to-xworm-v7-4-infection-chain-analysis/