The XDSpy threat actor has been identified as exploiting a Windows LNK zero-day vulnerability, dubbed ZDI-CAN-25373, to target governmental entities in Eastern Europe and Russia.
This ongoing campaign, active since March 2025, employs an intricate multi-stage infection chain to deploy the malicious XDigo implant, crafted in Go, as revealed by a detailed investigation stemming from Trend Micro’s initial report.
Sophisticated Cyber Espionage Campaign
The exploitation of this vulnerability, which manipulates the Windows Explorer UI to conceal malicious commands through excessive whitespace padding, underscores the advanced tactics of XDSpy, a group known for its stealthy operations since 2011.
The investigation, initially sparked by a cluster of suspicious LNK files, has exposed how attackers exploit discrepancies between Microsoft’s MS-SHLLINK specification and its actual implementation, allowing hidden command execution that evades both user interface visibility and third-party parsers.
According to Harfang Labs Report, the attack begins with spearphishing emails distributing ZIP archives, such as “dokazatelstva.zip” and “proyekt.zip,” containing specially crafted LNK files that leverage the ZDI-CAN-25373 vulnerability alongside LNK parsing confusion.
Technical Intricacies
Once executed, these files trigger a legitimate Microsoft executable to sideload a malicious C# .NET DLL named ETDownloader, which establishes persistence and attempts to fetch the next stage payload, suspected to be XDigo, from domains like vashazagruzka365[.]com.
XDigo, identified through infrastructure correlates, is a data collection implant with capabilities for file scanning, clipboard capture, and screenshot acquisition, communicating with command-and-control servers such as quan-miami[.]com.
Infrastructure analysis reveals XDSpy’s use of Russian-themed domain names for distribution servers and random English words for C2 servers, alongside selective markers like HTTP header patterns and redirections to large binary files on HuggingFace to thwart analysis.
The campaign’s targeting, focused on Belarusian governmental entities among others, aligns with XDSpy’s historical focus on Eastern European institutions, highlighting their persistent and tailored espionage efforts.
This operation’s technical sophistication is further evidenced by XDigo’s anti-analysis checks, AES-256-GCM encryption for data exfiltration, and RSA-based command authentication, illustrating an evolving threat landscape that demands robust defensive strategies against such stealthy adversaries.
Indicators of Compromise (IOCs)
| Type | Indicator (SHA-256 / Domain) | Description |
|---|---|---|
| ZIP Archive | a28ee84bfbad9107ad39802e25c24ae0eaa00a870eca09039076a0360dcbd869 | XDSpy ZIP, dokazatelstva.zip |
| LNK File | 0b705938e0063e73e03645e0c7a00f7c8d8533f1912eab5bf9ad7bc44d2cf9c3 | XDSpy LNK, доказательства_089741.lnk |
| ETDownloader | 792c5a2628ec1be86e38b0a73a44c1a9247572453555e7996bb9d0a58e37b62b | XDSpy ETDownloader, d3d9.dll |
| XDigo Malware | 0d983f5fb403b500ec48f13a951548d5a10572fde207cf3f976b9daefb660f7e | XDigo malware, vwjqrvdy.exe |
| Domain (Distribution) | vashazagruzka365[.]com | XDSpy distribution, March 2025 |
| Domain (C2) | quan-miami[.]com | XDigo C2, February 2025 |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates