MalwareUsed by 1 actorExploits 1 CVE

XDDown

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2020-0968Internet Explorer Scripting Engine Memory Corruption RCEExploited in the wild

At the end of June 2020, the operators stepped up their game by using a vulnerability in Internet Explorer, CVE-2020-0968, which had been patched in April 2020. Instead of delivering an archive with a LNK file, the C&C server was delivering an RTF file that, once opened, downloaded an HTML file exploiting the aforementioned vulnerability.

via eset welivesecurity blogwelivesecurity.com

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

XDSpy

XDDown is the main malware component and is strictly a downloader. It persists on the system using the traditional Run key. It downloads additional plugins from the hardcoded C&C server using the HTTP protocol.

via eset welivesecurity blogwelivesecurity.com

MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1566.001Spearphishing AttachmentEvidence1

XDSpy has sent spearphishing emails with a malicious attachment.

T1566.002Spearphishing LinkEvidence1

XDSpy has sent spearphishing emails with a link to a malicious archive.

Execution

3 techniques

T1203Exploitation for Client ExecutionEvidence1

XDSpy has exploited a vulnerability (CVE-2020-0968) in Internet Explorer (triggered by a malicious RTF file).

T1204.001Malicious LinkEvidence1

XDSpy has lured targets to download malicious archives containing malicious files such as LNK.

T1204.002Malicious FileEvidence1

XDSpy has lured targets to execute malicious files such as LNK or RTF.

Persistence

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence1

XDDownload persists using the Run key.

Privilege Escalation

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence1

XDDownload persists using the Run key.

Command and Control

2 techniques

T1071.001Web ProtocolsEvidence1

XDSpy uses HTTP for command and control.

T1573.001Symmetric CryptographyEvidence1

XDDownload downloads additional components encrypted with a 2-byte static XOR key.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

XDSpy exfiltrate stolen data using the C&C channel.

INDICATORS OF COMPROMISE

IOCs tracked for this family

36 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

31 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

5 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app6 years ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Jun 23, 2025

XDigo Malware Exploits Windows LNK Flaw in Eastern European Government Attacks

Malware family referenced as used in campaigns targeting Russia and Moldova; described as capable of downloading additional payloads and stealing sensitive information.

eset welivesecurity blogNews

Oct 2, 2020

XDSpy: Stealing government secrets since 2011

Primary downloader used by XDSpy. It establishes persistence via the Run key and retrieves additional encrypted plugin components from hardcoded C2 servers over HTTP.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching36

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.