XDSpy Resurfaces: Stealthy Cyber-Espionage Campaign Targets Governments with Obscure Windows LNK Flaw

After years of operating in near-total obscurity, the cyber-espionage group XDSpy has resurfaced in a sophisticated campaign targeting government organizations across Eastern Europe and Russia. In a comprehensive report released by HarfangLab, researchers shed light on XDSpy’s newest tooling, including a revamped malware implant named XDigo and its use of an obscure vulnerability in Windows LNK file parsing, previously cataloged as ZDI-CAN-25373.

XDSpy has long evaded widespread scrutiny. “XDSpy is a peculiar case in the persistent cyber espionage landscape,” HarfangLab notes, “having operated largely undetected from 2011 until its discovery by ESET researchers in early 2020.” Since then, its activities have largely been tracked only by Russian and Chinese firms, leaving a significant intelligence blindspot in Western cybersecurity.

This latest report represents a rare and detailed public analysis of XDSpy’s evolution, triggered by HarfangLab’s forensic deep dive into a small set of malicious LNK files submitted to public malware repositories in March 2025.

The campaign hinges on the exploitation of a subtle yet dangerous vulnerability in the way Microsoft Windows displays LNK shortcut file properties. The vulnerability, ZDI-CAN-25373, allows attackers to hide command-line arguments in the “Target” field of a shortcut using extensive whitespace padding.

“Those arguments will not appear in the LNK properties UI,” HarfangLab explains, adding that the technique allows executed commands to be “padded right out of the Target text box… and only whitespaces will be shown to the user.”

Further analysis revealed that Windows doesn’t even implement its own LNK parsing specification consistently. “Microsoft does not actually implement its own MS-SHLLINK specification to parse LNK files,” the researchers observe, enabling crafted shortcuts to behave one way in Windows but appear benign to forensic tools.

This inconsistency became a powerful evasion technique when combined with the whitespace vulnerability.

The infection chain begins with spearphishing emails carrying ZIP archives containing LNK files named to mimic official documents, such as “доказательства_089741.lnk” (Russian for “evidence”). These LNKs launch an intricate PowerShell one-liner that compiles and runs a temporary JavaScript-based unzip utility, unpacks a secondary ZIP disguised as an .INI file, and sideloads a malicious DLL — the first-stage downloader dubbed ETDownloader.

This downloader executes a decoy PDF while covertly fetching and installing a second-stage payload from infrastructure controlled by XDSpy.

While HarfangLab was unable to retrieve the exact payload downloaded during the attacks, they correlated the activity with XDigo, a Go-based malware implant previously observed in memory dumps from Belarusian systems.

XDigo is a full-fledged espionage tool. It collects documents, screenshots, clipboard contents, and even runs commands on demand. It stages stolen data in encrypted ZIP files using AES-256-GCM before exfiltrating it over HTTPS to command-and-control servers like quan-miami[.]com.

Interestingly, XDigo accepts commands encrypted via RSA-OAEP and authenticated with RSA-PSS signatures. “Each sample we identified embeds unique AES keys,” the researchers noted, suggesting a deliberate effort to compartmentalize operations.

The campaign’s decoy documents — a scanned legal letter addressed to the Almaty City Bar Association in Kazakhstan and a Russian architectural firm’s floor plan — point to deliberate targeting of Russian-speaking government and legal sectors.

Victims include a confirmed Belarusian governmental entity involved in economic policy. HarfangLab’s researchers observed that XDSpy “maintains strong operational security practices that have enabled them to operate covertly for over a decade.”

XDSpy’s infrastructure also evades detection through clever redirection schemes. Domains such as pdf-bazaar[.]com and vashazagruzka365[.]com serve as staging points for the malware, occasionally redirecting analysts to massive LLM binaries hosted on HuggingFace to throw off investigations.

The researchers connect this new XDSpy campaign to historical activity through consistent tactics: spearphishing with ZIP archives, DLL sideloading, evasion of sandbox detection, and the use of forfiles.exe in execution chains. Moreover, infrastructure overlaps and reused RSA keys tie recent XDigo variants to samples dating back to 2023.

“Even as we concluded this investigation,” HarfangLab cautions, “we identified another cluster of activity beginning May 2025… with new XDigo samples uploaded days prior to publication.”

Related Posts:

• Attackers Exploit Obscure WordPress Plugin to Steal Credit Card Data
• Chinese Hackers Suspected in Ivanti CSA Attacks: Webshells and Lateral Movement Detected Sources and related content
• Obscure VBScript “sostener.vbs” Unmasked: Fuels Multi-Stage RAT Delivery, Linked to Blind Eagle APT
• Gamaredon’s PteroLNK Malware: Stealthy Espionage Tactics Uncovered
• LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks