XDigo Malware

Cybersecurity researchers have uncovered a new cyber espionage campaign involving a Go-based stealer dubbed XDigo, which was deployed in March 2025 against Eastern European governmental organizations. The malware is linked to the persistent threat actor group XDSpy, active in the region since at least 2011.

The Return of XDSpy: A Decade of Surveillance

XDSpy is a well-documented cyber espionage group known for targeting government agencies across Eastern Europe and the Balkans. First publicly analyzed in 2020, XDSpy has maintained a steady pattern of activity, evolving its toolkit and targeting scope over the years.

Recent campaigns attributed to the group have hit organizations in Russia and Moldova, deploying malware families like UTask, XDDown, and DSDownloader—tools designed to download additional payloads and siphon sensitive data from infected systems.

LNK Exploits: The Hidden Danger Behind Windows Shortcuts

The XDigo campaign employs a multi-stage attack chain that begins with Windows shortcut files (.LNK), exploiting a remote code execution vulnerability in Microsoft Windows tracked as ZDI-CAN-25373, publicly disclosed in March 2025.

This vulnerability arises from improper handling of specially crafted LNK files, allowing malicious content to remain invisible in the user interface but still execute code in the context of the current user. Further inspection revealed a subset of nine such LNK files, exploiting a parsing confusion flaw caused by Microsoft’s partial implementation of the MS-SHLLINK specification (v8.0).

Parsing Confusion: Specification vs. Implementation

The MS-SHLLINK spec allows for string lengths of up to 65,535 characters, but Windows 11 limits actual content to 259 characters, with command-line arguments being the exception. This mismatch introduces inconsistencies in how LNK files are interpreted across platforms.

Attackers exploit this gap by crafting LNK files that appear valid or invalid depending on the parser, enabling:

• Execution of unexpected or hidden commands
• Evading detection by both Windows UI and third-party analysis tools

By combining this with whitespace padding techniques, adversaries effectively obscure the true intent of the shortcut, increasing the chances of successful execution without alerting users or security tools.

Infection Chain: ZIP Archives, Decoys, and DLL Sideloading

The identified nine malicious LNK files were distributed in ZIP archives, each containing another ZIP archive that bundled:

• A decoy PDF document
• A legitimate executable renamed
• A malicious DLL sideloaded by the binary

This DLL, named ETDownloader, serves as a first-stage payload designed to download the main implant - XDigo.

XDigo: A Refined Data Stealer

XDigo is a Go-based malware implant assessed to be an evolution of UsrRunVGA.exe, previously documented in October 2023. It is equipped to:

• Harvest local files.
• Capture clipboard content.
• Take screenshots.
• Execute commands or binaries fetched from a remote server via HTTP GET.
• Exfiltrate stolen data using HTTP POST requests.

This functionality confirms XDigo’s role as an espionage-oriented stealer designed for stealthy information gathering.

Target Profile and Tactical Consistency

Investigators have confirmed at least one target in the Minsk region, with further signs pointing to operations against Russian retail groups, financial institutions, insurance companies, and governmental postal services. This victimology aligns closely with XDSpy’s historical focus, especially on Eastern Europe and Belarus.

Evasion Techniques and Tactical Sophistication

XDSpy has demonstrated a strong capability for evading modern defenses. Notably, their malware was the first to attempt evasion of a specific sandbox solution, reflecting a high degree of customization and adaptability in response to evolving security landscapes.

Summary: Key Takeaways

The XDigo campaign showcases a sophisticated blend of techniques and targeting strategies. It involved the exploitation of a Windows vulnerability identified as ZDI-CAN-25373 through specially crafted LNK files, alongside manipulation of LNK parsing inconsistencies to obscure malicious activity. Attackers also relied on DLL sideloading by using renamed legitimate executables to load rogue components. Communication with command-and-control infrastructure and the exfiltration of stolen data were conducted over standard HTTP protocols, enabling stealth and evasion.

In terms of targeting, the campaign focused heavily on governmental entities, particularly in Belarus and Russia. It also extended its reach to financial and retail sectors, as well as large insurance companies and national postal services. This operation underlines the persistent innovation of state-aligned threat actors and reinforces the critical need to scrutinize even seemingly harmless file types, such as LNK files, for hidden threats.