📌 1. Overview
- XDigo is a newly discovered, Go-based espionage malware attributed to the advanced persistent threat group XDSpy.
- It emerged in March 2025 and has been actively used in cyber-espionage operations targeting government organizations, primarily in Eastern Europe, particularly Belarus.
- The malware exhibits modular and stealthy reconnaissance behavior, designed to collect sensitive data rather than disrupt systems.
💥 2. Infection Vector and Exploitation
- XDigo’s infection chain begins with the exploitation of a zero-day vulnerability in Windows
.LNK(shortcut) file parsing.
🔓 Vulnerability Details:
- CVE Identifier: Internal reference as ZDI-CAN-25373 (Zero Day Initiative candidate).
- Attack Method:
- A specially crafted
.LNKfile is embedded within an archive (ZIP, RAR, or 7z) sent to the victim. - When the victim clicks the
.LNKfile, it triggers the vulnerability, allowing the attacker to bypass normal execution controls. - This leads to the sideloading of a malicious DLL, commonly referred to as ETDownloader.
- A specially crafted
⚙️ Multi-Stage Payload:
- Stage 1:
.LNKfile execution triggers malicious DLL via a legitimate signed binary. - Stage 2: ETDownloader contacts the Command-and-Control (C2) server to retrieve the main XDigo payload.
- Stage 3: The XDigo implant is dropped and initialized on the victim machine, maintaining stealth.
🔍 3. XDigo Technical Capabilities
XDigo functions as a modular espionage implant, primarily focused on reconnaissance and exfiltration:
🔐 Capabilities:
- System reconnaissance:
- Collects hostname, user info, system details.
- Directory and file enumeration:
- Recursively lists directories and identifies specific file types (e.g., Office documents, PDFs, etc.).
- Screenshot capture:
- Periodically takes desktop screenshots and sends them to the attacker.
- File collection and encryption:
- Files of interest are AES-256-GCM encrypted before exfiltration.
- Secure command execution:
- The implant can receive signed and encrypted commands from its C2, ensuring authenticity and integrity.
- C2 Communication:
- Uses HTTPS for secure and encrypted data transmission.
- Example domain:
quan-miami[.]com/wevjhnyh/
🕵️♂️ 4. Attribution to XDSpy
- The malware campaign has been attributed to XDSpy, a known espionage group active since at least 2011.
- Attribution Factors:
- Similarities in command structure, domain infrastructure, and file-naming conventions.
- Shared tactics, techniques, and procedures (TTPs) across multiple campaigns.
- Continued targeting of the same geographic and political regions.
🎯 5. Target Profile
- Geopolitical Focus: Primarily targets government and diplomatic entities in Eastern Europe and former Soviet regions.
- Victim Sectors: Government departments, defense contractors, diplomatic communications, and foreign affairs ministries.
- Region Example: Confirmed cases in Belarus.
🔐 6. Defensive Measures
✅ A. Patch Management
- Apply patches as soon as Microsoft or vendors address ZDI-CAN-25373 and related LNK vulnerabilities.
🛡️ B. Endpoint Protection
- Deploy EDR (Endpoint Detection and Response) tools to detect:
- DLL sideloading
- Suspicious binary executions triggered from
.LNKfiles
- Monitor for behavior anomalies such as:
- Unusual screenshot captures
- Files being encrypted before network transmission
🌐 C. Network and C2 Blocking
- Monitor outbound traffic for connections to known C2 domains, such as:
quan-miami[.]com
- Use threat intelligence feeds to detect indicators of compromise (IOCs).
👨🏫 D. User Awareness
- Educate users about the dangers of opening unknown or unsolicited
.LNKfiles inside compressed archives. - Encourage safe email practices and proper incident reporting procedures.
📣 Conclusion
The XDigo malware marks an evolution in espionage tooling — blending modern development practices (Go language) with traditional techniques like DLL sideloading and malicious LNK files. Organizations in sensitive geopolitical zones should remain especially alert and bolster their cyber hygiene to prevent compromise.
