A sophisticated cyber espionage campaign attributed to the XDSpy threat actor has recently been uncovered, revealing the exploitation of a zero-day vulnerability in Windows shortcut files. This elusive group has operated largely under the radar since 2011, with its activities coming to light in 2020. Primarily targeting government entities in Eastern Europe and Russia, XDSpy has shown no discernible connections to known Advanced Persistent Threat (APT) groups, neither in its coding practices nor in its targeting strategies.
The campaign centers around a vulnerability identified as “ZDI-CAN-25373,” which allows attackers to conceal executed commands from the Windows user interface within specially crafted shortcut files. First reported by Trend Micro in March 2025, this vulnerability enables malicious actors to pad command line arguments with whitespace characters, effectively rendering them invisible in the Windows LNK properties dialog while still executing hidden commands when activated.
In mid-March, researchers from HarfangLab identified a cluster of malicious LNK files that exploited this vulnerability as part of a coordinated attack. Their investigation not only confirmed the exploitation of ZDI-CAN-25373 but also highlighted a more profound issue regarding how Windows parses LNK files differently from its own MS-SHLLINK specification. This discrepancy creates an additional layer of confusion that malicious actors can exploit to further obfuscate their attacks.
The campaign has predominantly focused on Russian-speaking recipients. Among the decoy documents discovered during the analysis were a scan of a document addressed to the President of the Presidium in Kazakhstan’s Almaty City Bar Association and a floor map detailing network and electricity installation plans from a Moscow architectural design firm. Such findings underscore XDSpy’s continued emphasis on government and infrastructure targets in Eastern Europe.
Infection Mechanism
The infection chain initiates when a victim receives a ZIP archive, named either dokazatelstva.zip or proyekt.zip, containing a malicious LNK file alongside another ZIP disguised with an .ini extension. Upon opening the LNK file, the user unwittingly triggers a complex Windows shell command designed to unpack and execute the malicious components while simultaneously displaying a decoy document.
This LNK file cleverly utilizes both the ZDI-CAN-25373 vulnerability and the parsing confusion to mask its true intentions. A simplified version of the intricate Windows shell command contained within the LNK file illustrates its complexity:
set PATH=%windir%system32;%PATH% & (
chcp 65001 | echo | set /p="import System;
import System.IO;
import System.IO.Compression;
[...truncated JavaScript .NET code...]
Main();" > %TEMP%B5DUC80ULT7L.a
[...more code to compile and execute...]
)This command extracts and executes a first-stage malware known as “ETDownloader,” a .NET DLL that is sideloaded by a legitimate signed Microsoft executable. ETDownloader establishes persistence by creating a startup batch file and attempts to download a second-stage payload called “XDigo” from a command and control server using hardcoded URLs.
The XDigo implant, written in Go, boasts advanced data collection capabilities designed to evade detection and exfiltrate sensitive information. It routinely scans for documents with specific extensions, captures screenshots, monitors clipboard content, and possesses command execution capabilities, all while employing encryption for data exfiltration.
This campaign marks a significant evolution in XDSpy’s tactics, merging zero-day exploitation with sophisticated multi-stage payloads. It serves as a testament to the ongoing development of advanced capabilities by this previously low-profile threat actor, underscoring the persistent threat posed by targeted cyber espionage operations.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access