9 malware familiesExploits CVEs in the wild

XDSpy

Also known asXDSpy

XDSpy is a cyber-espionage threat actor active since at least 2011. Reporting describes it as a previously undocumented espionage group that has targeted government agencies, militaries, ministries of foreign affairs, and private companies in Eastern Europe and the Balkans, with victims identified in Belarus, Moldova, Russia, Serbia, and Ukraine. More recent reporting attributes an ongoing campaign from March 2025 to XDSpy targeting Eastern European and Russian governmental entities, including at least one confirmed victim in the Minsk region of Belarus. Observed intrusion methods include spearphishing emails delivering malicious attachments or links to ZIP/RAR archives, including LNK-based infection chains. In 2020, XDSpy also used the patched Internet Explorer vulnerability CVE-2020-0968 via malicious RTF and HTML files. In 2025, XDSpy was reported abusing Windows LNK weaknesses including ZDI-CAN-25373 / CVE-2025-9491 and additional LNK parsing inconsistencies to conceal command execution. Reported delivery chains used crafted LNK files in ZIP archives such as dokazatelstva.zip and proyekt.zip, nested archives, decoy PDFs, and DLL sideloading via the legitimate signed Microsoft binary DeviceMetadataWizard.exe. Its malware ecosystem includes XDDown, a downloader that persists via the Windows Registry Run key and retrieves plugins over HTTP; plugins named XDRecon, XDList, XDMonitor, XDUpload, XDLoc, and XDPass support reconnaissance, file discovery, removable media monitoring, file exfiltration, Wi-Fi-based geolocation, and password theft. Recent activity is also linked to ETDownloader, a .NET downloader that establishes persistence via a Startup-folder batch file, and to XDigo, a Go-based espionage implant attributed to XDSpy. XDigo has been described as collecting host and user information, directory listings, clipboard contents, screenshots, and documents, staging data into AES-256-GCM-encrypted ZIP archives, and communicating with command-and-control over HTTPS using encrypted and signed tasking. Researchers cited in the content state they could not confidently link XDSpy to any publicly known APT group based on malware code or infrastructure overlap. The actor is consistently characterized in the content as an espionage-focused group with a long-running emphasis on government targets in Eastern Europe and Belarus in particular. Known aliases and related malware/subcomponents mentioned in the content include XDDown, XDRecon, XDList, XDMonitor, XDUpload, XDLoc, XDPass, ETDownloader, and XDigo.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration
Military

Where they target

Geographies tied to known operations.

🇧🇾 Belarus
🇲🇩 Moldova
🇷🇺 Russia
🇷🇸 Serbia
🇺🇦 Ukraine

MITRE ATT&CK

Tradecraft

31 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics44 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

T1566.001×2

Spearphishing Attachment

T1566.002

Spearphishing Link

TA0002

Execution

4 techniques

T1059

Command and Scripting Interpreter

T1059.003

Windows Command Shell

T1059.007

JavaScript

T1203

Exploitation for Client Execution

T1204

User Execution

T1204.001

Malicious Link

T1204.002×2

Malicious File

T1574

Hijack Execution Flow

T1574.001

DLL

TA0003

Persistence

1 technique

T1547

Boot or Logon Autostart Execution

T1547.001×3

Registry Run Keys / Startup Folder

T1547.009

Shortcut Modification

TA0004

Privilege Escalation

1 technique

T1547

Boot or Logon Autostart Execution

T1547.001×3

Registry Run Keys / Startup Folder

T1547.009

Shortcut Modification

TA0005

Stealth

6 techniques

T1027

Obfuscated Files or Information

T1036

Masquerading

T1211

Exploitation for Stealth

T1218

System Binary Proxy Execution

T1497

Virtualization/Sandbox Evasion

T1574

Hijack Execution Flow

T1574.001

DLL

TA0006

Credential Access

1 technique

T1555

Credentials from Password Stores

TA0007

Discovery

4 techniques

T1033

System Owner/User Discovery

T1082×2

System Information Discovery

T1083×2

File and Directory Discovery

T1497

Virtualization/Sandbox Evasion

TA0009

Collection

6 techniques

T1005×2

Data from Local System

T1025

Data from Removable Media

T1113×2

Screen Capture

T1115

Clipboard Data

T1119

Automated Collection

T1560

Archive Collected Data

T1560.001

Archive via Utility

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1071.001×2

Web Protocols

T1105

Ingress Tool Transfer

T1573

Encrypted Channel

T1573.001

Symmetric Cryptography

TA0010

Exfiltration

2 techniques

T1020

Automated Exfiltration

T1041

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

9 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

XDigoThis ensured automatic execution upon user login, maintaining the DLL sideloading chain and deploying the XDigo implant for persistent data exfiltration operations.5Mar 27, 2026

ETDownloaderThe stage 1 downloader (ETDownloader) established persistence by creating `startapp.bat` in the Startup folder3Mar 27, 2026

XDDownXDDown is the main malware component and is strictly a downloader. It persists on the system using the traditional Run key. It downloads additional plugins from the hardcoded C&C server using the HTTP protocol.1May 31, 2026

XDListXDList: Crawls the C: drive for interesting files (.accdb, .doc, .docm, .docx, .mdb, .xls, .xlm, .xlsx, .xlsm, .odt, .ost, .ppt, .pptm, .ppsm, .pptx, .sldm, .pst, .msg, .pdf, .eml, .wab) and exfiltrates the paths of these files. It can also take screenshots.1May 31, 2026

XDLocXDLoc: Gathers nearby SSIDs (such as Wi-Fi access points), probably in order to geo-locate the victim machines.1May 31, 2026

4 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence4

"...opening a bogus attachment that's designed to exploit ZDI-CAN-25373, a vulnerability that has been put to use by multiple threat actors... It's officially tracked as CVE-2025-9491 (CVSS score: 7.0)"

CVE-2020-0968Internet Explorer Scripting Engine Memory Corruption RCEIn the wildEvidence1

At the end of June 2020, the operators stepped up their game by using a vulnerability in Internet Explorer, CVE-2020-0968, which had been patched in April 2020. Instead of delivering an archive with a LNK file, the C&C server was delivering an RTF file that, once opened, downloaded an HTML file exploiting the aforementioned vulnerability.

IOCS

Observables

47 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

47 IOCsView more in app

Domains

31 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+23

hash.sha1

13 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+5

ip.v4

3 total

•••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

picus security blogNews

Mar 27, 2026

T1547.009 Shortcut Modification in MITRE ATT&CK Explained

Uses malicious .LNK files in ZIP archives to achieve execution and persistence, leveraging LNK parsing/UI confusion, extracting payloads, using DLL sideloading via DeviceMetadataWizard.exe, and establishing Startup-folder persistence for data exfiltration.

techrepublic com securityNews

Dec 4, 2025

Microsoft Silently Fixes 8-Year Windows Security Flaw

XDSpy is known for cyber espionage campaigns targeting Eastern European government organizations, exploiting Windows shortcut vulnerabilities for malware delivery.

the hacker newsNews

Dec 3, 2025

Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation

XDSpy is known for cyber espionage campaigns targeting Eastern European governmental entities, distributing the XDigo malware via exploitation of CVE-2025-9491.

the hacker newsNews

Oct 31, 2025

China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats

Cyber-espionage cluster abusing the same Windows shortcut vulnerability to distribute the Go-based malware XDigo against Eastern European government targets.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping31

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal9

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables47

Domains, IPs, and hashes tied to this actor, refreshed continuously.