BreakglassIntelligence
Back to reports

A Turkish Insurance Enthusiast, a Live GitHub Repository, and XWorm V6.0: How a Tax Document Lure Exposed a Multi-Vector Campaign

Actor email in GitHub commits, Turkish language in filenames, GitHub repo still serving payloads, 0/57 VT detection on the dropper

PublishedApril 3, 2026

The domain backupallfresh2030[.]com was flagged by @skocherhan alongside four other XWorm C2 indicators. @smica83 had the sample -- James_Smith_Tax_Documents_2025.pdf .js, a JavaScript file disguised as a tax document, scoring 0/57 on VirusTotal. Seen from the UK on April 1.

We pulled the thread and found a Turkish-speaking threat actor who left their email address in GitHub commits, their native language in filenames, and their entire malware staging repository publicly accessible and still serving payloads as of this writing.

The Actor

The GitHub account flexhere687-art was created on the same day as the first malware upload. The commit history contains the email flexhere687@gmail[.]com. One of the staged executables is named sigortasevdalisi.exe -- Turkish for "insurance enthusiast." Combined with other Turkish-language artifacts in the tooling, this places the actor in Turkey with moderate confidence.

The GitHub repository xvxc- remains live and hosts five malware payloads:

  • dddd.exe -- XWorm V6.0 (compiled March 22, 2026)
  • sigortasevdalisi.exe -- Named payload
  • 31.exe -- Unnamed variant
  • Additional staging files

GitHub has not removed the repository despite the payloads being openly accessible.

Three Delivery Vectors

The campaign uses three parallel delivery methods targeting different victim profiles:

Vector 1: JavaScript Tax Lure

James_Smith_Tax_Documents_2025.pdf .js -- the double extension exploits Windows' default hidden extension behavior. The victim sees what looks like a PDF. It's JavaScript.

The JS dropper uses string interleaving obfuscation -- characters of the malicious command are woven between garbage characters and reassembled at runtime. The deobfuscated payload calls PowerShell, which downloads a 14 MB ZIP from Filemail (a legitimate file-sharing service) containing a trojanized Python 3.12 installation. The Python loader decrypts AES+XOR encrypted shellcode and executes it in memory.

The Filemail link is still serving the payload.

Vector 2: BAT with UAC Bypass

Batch file droppers that bypass User Account Control to achieve elevated execution, then download payloads directly from the GitHub repository via raw URLs. Persistence is established through the Startup folder using the filename Microsys.exe.

Vector 3: Excel CVE-2017-11882

Weaponized Excel documents exploiting the Equation Editor vulnerability -- the same 2017 exploit we've seen in the SideWinder and WarMachine campaigns this week. Old vulnerability, still effective against unpatched systems.

Defender Evasion

The campaign's most aggressive evasion technique is Windows Defender exclusion abuse. Upon execution, the malware adds:

  • The entire C:\ drive as a path exclusion
  • .exe, .bat, and .ps1 as extension exclusions

This effectively blinds Windows Defender to all executable activity on the system. Any subsequent payload -- XWorm, additional modules, lateral movement tools -- runs without real-time scanning.

Persistence Arsenal

Four persistence mechanisms ensure the malware survives reboots:

  1. Registry Run key as RtkAudUService -- mimicking the legitimate Realtek Audio Universal Service. An administrator checking startup entries sees what looks like an audio driver.
  2. Startup folder with Microsys.exe -- a generic name that blends with legitimate Microsoft processes
  3. Scheduled tasks via schtasks for timed re-execution
  4. LOLBin abuse using SyncAppvPublishingServer.vbs -- a legitimate Microsoft App-V script used as a living-off-the-land execution proxy

XWorm V6.0

The final payload is XWorm version 6.0, a full-featured remote access trojan with:

  • DDoS attack capability
  • Keylogger
  • Screen capture
  • File encryption (ransomware-capable)
  • Process injection
  • Plugin system for extensibility
  • Telegram-based C2 notifications
  • Credential harvesting from browsers and applications
  • Hosts file manipulation for DNS hijacking

@skocherhan documented additional C2 domains in the same campaign:

Domain/IPPurpose
backupallfresh2030[.]comPrimary C2
king[.]authdrakesotware[.]com103.75.190[.]48Secondary C2
dd6qg4wn9ejpd[.]cloudfront[.]net3.170.185[.]8CloudFront C2 abuse
nigga[.]ad0becloud[.]com31.44.4[.]127Fake Adobe domain
marchcap28[.]blogspot[.]comBlogspot dead drop
aprilfoolclpa[.]blogspot[.]comBlogspot dead drop

The campaign abuses three legitimate platforms for infrastructure: GitHub for payload staging, Filemail for payload delivery, CloudFront for C2 traffic, and Blogspot for command dead drops. This multi-platform abuse strategy means no single takedown request disrupts the entire operation.

Indicators of Compromise

Network Indicators

  • backupallfresh2030[.]com (primary C2)
  • king[.]authdrakesotware[.]com / 103.75.190[.]48
  • dd6qg4wn9ejpd[.]cloudfront[.]net / 3.170.185[.]8
  • nigga[.]ad0becloud[.]com / 31.44.4[.]127
  • marchcap28[.]blogspot[.]com
  • aprilfoolclpa[.]blogspot[.]com
  • GitHub: flexhere687-art/xvxc- (STILL LIVE)

File Indicators

  • James_Smith_Tax_Documents_2025.pdf .js — SHA256: 333aae0b09f9a443c3fd9b381f04f684e87aa6ad8fc55f8ac3293e8df80b45d5 (0/57 VT)
  • dddd.exe — XWorm V6.0 (compiled 2026-03-22)

Actor Indicators

  • Email: flexhere687@gmail[.]com
  • Language: Turkish ("sigortasevdalisi" = insurance enthusiast)
  • GitHub: flexhere687-art

Behavioral Indicators

  • Registry Run key RtkAudUService (mimics Realtek audio)
  • Defender exclusions: entire C:\ + .exe/.bat/.ps1 extensions
  • SyncAppvPublishingServer.vbs LOLBin execution
  • Startup folder Microsys.exe

Detection

Seven YARA rules and nine Suricata signatures are available on our GitHub:

h/t @skocherhan and @smica83 for the IOCs and sample.

Share