MalwareUsed by 2 actorsExploits 1 CVE

ETDownloader

ETDownloader is a C#/.NET first-stage downloader used in a March 2025 onward cyber-espionage campaign attributed to XDSpy. It is delivered through a multi-stage Windows LNK-based infection chain in which specially crafted shortcut files distributed inside ZIP archives ultimately launch a legitimate signed Microsoft binary, DeviceMetadataWizard.exe, to sideload a malicious d3d9.dll identified as ETDownloader. The malware has been associated with targeting governmental entities in Eastern Europe and Russia, with a confirmed victim in Belarus.

Observed delivery artifacts included ZIP archives such as dokazatelstva.zip and proyekt.zip containing malicious LNK lures, a second ZIP disguised with an .ini extension, DeviceMetadataWizard.exe, the malicious d3d9.dll, and decoy PDF files. The LNK execution chain used jsc.exe to compile JScript.NET into a temporary unzip utility and used forfiles.exe as part of execution. ETDownloader opens a decoy PDF by moving test.cfg into the user Documents folder and launching it via Explorer.

ETDownloader establishes persistence by creating startapp.bat in the user Startup folder at C:\Users<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, causing execution at logon. The batch file launches %AppData%\2A5S2FQJSU9B\YEZYZO107H.exe with the /startup argument. The malware attempts to download and execute an additional stage-2 payload, assessed with moderate to high confidence to be the Go-based XDigo implant. One reported hardcoded download URL was hxxps://vashazagruzka365[.]com/zagruzka/?pti=hlicbz&yay=G9CUTb3S8U4XHr8. The downloaded payload is decoded via base64, XORed with key 11PDL19R6LMRJPCQ, base64-decoded again, and saved as ytoqovbxx.exe under %AppData%\Roaming\2A5S2FQJSU9B.

The malware is obfuscated with ConfuserEx2 or a variant plus an additional XOR-based string encoding layer. Reported sample details include the sideloaded ETDownloader d3d9.dll with SHA-256 792c5a2628ec1be86e38b0a73a44c1a9247572453555e7996bb9d0a58e37b62b and reported compilation time 2025-03-05 13:18:57. High-confidence related artifacts in the infection chain include DeviceMetadataWizard.exe SHA-256 1793dae4d05cc7be9575f14ae7a73ffe3b8279a811c0db40f56f0e2c1ee8dd61. ETDownloader is consistently described as the stage-1 downloader in this XDSpy-linked intrusion set and as the component responsible for persistence and retrieval of the follow-on espionage implant.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityExploited in the wild

HarfangLab said it observed the threat actor leveraging a remote code execution flaw in Microsoft Windows that's triggered when processing specially crafted LNK files. The vulnerability (ZDI-CAN-25373) was publicly disclosed by Trend Micro earlier this March. | The DLL is a first-stage downloader dubbed ETDownloader that, in turn, is likely meant to deploy a data collection implant referred to as XDigo...

via the hacker newsthehackernews.com

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

XDSpy

The stage 1 downloader (ETDownloader) established persistence by creating `startapp.bat` in the Startup folder

via picus security blogpicussecurity.com

Silent Werewolf

The DLL is a first-stage downloader dubbed ETDownloader that, in turn, is likely meant to deploy a data collection implant referred to as XDigo...

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.001Spearphishing AttachmentEvidence1

“A third party publication … indicated some of those ZIP archives at least were distributed via spearphishing emails containing links to the archives.”

Execution

5 techniques

T1059Command and Scripting InterpreterEvidence1

The LNK file executed a complex Windows shell one-liner that: for /R "%USERPROFILE%" %f in (proyekt.zip) do ( echo [JavaScript .NET code] > %TEMP%\B5DUC80ULT7L.a %_jsc% /nologo /r:System.IO.Compression.FileSystem.dll /out:%TEMP%\unzip.exe %TEMP%\B5DUC80ULT7L.a %TEMP%\unzip.exe "%f" "%USERPROFILE%\L80OWGTGHWBX" start "" /MIN "%USERPROFILE%\L80OWGTGHWBX\YEZYZO107H.exe" )

T1059.003Windows Command ShellEvidence1

“The LNK file triggers the execution of an intricate Windows shell command one-liner…”

T1059.007JavaScriptEvidence1

“stores a JavaScript .NET code snippet … compiles the latter to an assembly … using … jsc.exe … runs … unzip.exe”

T1204.002Malicious FileEvidence1

“The execution chain initiates with the user unzipping the archive and opening the embedded LNK file…”

T1574.001DLLEvidence1

“This executable in turn sideloads the malicious d3d9.dll.”

Persistence

2 techniques

T1547.001Registry Run Keys / Startup FolderEvidence2

The primary persistence mechanism targets the Windows Startup folder, located at: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ The Windows Explorer shell automatically enumerates and executes all items within these directories during the user logon process.

T1547.009Shortcut ModificationEvidence1

T1547.009 Shortcut Modification is a technique in the MITRE ATT&CK framework under the Persistence tactic. It involves the modification of shortcuts (typically .lnk files) in Windows to achieve persistence by ensuring that malicious programs or scripts are executed whenever the user interacts with the shortcut.

Privilege Escalation

2 techniques

T1547.001Registry Run Keys / Startup FolderEvidence2

T1547.009Shortcut ModificationEvidence1

Stealth

4 techniques

T1027Obfuscated Files or InformationEvidence1

“downloaded payload is decoded with base64, then using XOR … then base64 again”

T1036MasqueradingEvidence1

“another ZIP archive disguised with an .ini extension … a decoy PDF document, renamed as test.cfg”

T1218System Binary Proxy ExecutionEvidence1

“extract … a renamed, legitimate and signed Microsoft executable (… DeviceMetadataWizard.exe) … [which] sideloads the malicious d3d9.dll.”

T1574.001DLLEvidence1

“This executable in turn sideloads the malicious d3d9.dll.”

Discovery

1 technique

T1082System Information DiscoveryEvidence1

“for /f %j in ('dir /b /s /a:-d /o:-n "%SystemRoot%\Microsoft.Net\Framework\*jsc.exe"') do @set "_jsc=%j"”

Command and Control

1 technique

T1105Ingress Tool TransferEvidence1

“downloads the next stage payload from a hardcoded URL … the downloaded payload is … saved under … ytoqovbxx.exe , [and] executed”

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

3 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app3 months ago

domain●●●●●●●●●●●●View more in app8 months ago

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

picus security blogNews

Mar 27, 2026

T1547.009 Shortcut Modification in MITRE ATT&CK Explained

A stage 1 downloader used to establish persistence via the Windows Startup folder and continue the execution chain that led to DLL sideloading and deployment of a later implant.

harfanglab insidethelabNews

Oct 30, 2025

SadFuture: Mapping XDSpy latest evolution - HarfangLab

Obfuscated C#/.NET DLL sideloaded via a legitimate Microsoft binary (DeviceMetadataWizard.exe) to establish persistence (Startup batch), display decoy documents, and download/decode/execute a next-stage payload from hardcoded staging URLs (base64 + XOR + base64).

the hacker newsNews

Jun 23, 2025

XDigo Malware Exploits Windows LNK Flaw in Eastern European Government Attacks

First-stage downloader (rogue DLL sideloaded via a legitimate renamed executable) used to retrieve and deploy the XDigo data-collection implant.

cyberthroneNews

Jun 23, 2025

XDigo Malware exploits a Zeroday vulnerability

Malicious DLL sideloaded via a crafted .LNK-triggered execution chain; contacts C2 to retrieve the main XDigo payload (acts as a downloader/loader stage).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.