The XDSpy threat actor has been identified as exploiting a Windows LNK zero-day vulnerability, known as ZDI-CAN-25373, to target governmental entities in Eastern Europe and Russia. This ongoing campaign, which has been active since March 2025, utilizes a complex multi-stage infection chain to deploy the malicious XDigo implant, developed in Go, as revealed by a comprehensive investigation initiated by Trend Micro’s initial report.
Sophisticated Cyber Espionage Campaign
The exploitation of this vulnerability, which cleverly manipulates the Windows Explorer UI to obscure malicious commands through excessive whitespace padding, highlights the advanced tactics employed by XDSpy, a group recognized for its stealthy operations since 2011.
The investigation, triggered by a series of suspicious LNK files, has uncovered how attackers exploit inconsistencies between Microsoft’s MS-SHLLINK specification and its actual implementation. This allows for hidden command execution that evades user interface visibility and third-party parsers.
According to a report from Harfang Labs, the attack commences with spearphishing emails distributing ZIP archives, such as “dokazatelstva.zip” and “proyekt.zip.” These archives contain specially crafted LNK files that leverage the ZDI-CAN-25373 vulnerability alongside confusion in LNK parsing.
Technical Intricacies
Upon execution, these files trigger a legitimate Microsoft executable to sideload a malicious C# .NET DLL named ETDownloader. This component establishes persistence and attempts to retrieve the next stage payload, suspected to be XDigo, from domains like vashazagruzka365[.]com.
XDigo, identified through infrastructure correlates, serves as a data collection implant capable of file scanning, clipboard capture, and screenshot acquisition. It communicates with command-and-control servers such as quan-miami[.]com.
Infrastructure analysis reveals XDSpy’s strategic use of Russian-themed domain names for distribution servers, while opting for random English words for command-and-control servers. Selective markers, including HTTP header patterns and redirections to large binary files on HuggingFace, are employed to complicate analysis.
The campaign’s focus on Belarusian governmental entities, among others, aligns with XDSpy’s historical targeting of Eastern European institutions, underscoring their persistent and tailored espionage efforts.
The operation’s technical sophistication is further exemplified by XDigo’s anti-analysis checks, AES-256-GCM encryption for data exfiltration, and RSA-based command authentication. This illustrates an evolving threat landscape that necessitates robust defensive strategies against such stealthy adversaries.
Indicators of Compromise (IOCs)
| Type | Indicator (SHA-256 / Domain) | Description |
|---|---|---|
| ZIP Archive | a28ee84bfbad9107ad39802e25c24ae0eaa00a870eca09039076a0360dcbd869 | XDSpy ZIP, dokazatelstva.zip |
| LNK File | 0b705938e0063e73e03645e0c7a00f7c8d8533f1912eab5bf9ad7bc44d2cf9c3 | XDSpy LNK, доказательства_089741.lnk |
| ETDownloader | 792c5a2628ec1be86e38b0a73a44c1a9247572453555e7996bb9d0a58e37b62b | XDSpy ETDownloader, d3d9.dll |
| XDigo Malware | 0d983f5fb403b500ec48f13a951548d5a10572fde207cf3f976b9daefb660f7e | XDigo malware, vwjqrvdy.exe |
| Domain (Distribution) | vashazagruzka365[.]com | XDSpy distribution, March 2025 |
| Domain (C2) | quan-miami[.]com | XDigo C2, February 2025 |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
