Cybersecurity researchers discovered GO-based malware called Xdigo, which was used in an attack on government agencies in Eastern Europe in March 2025.
The attack chain is said to have leveraged a collection of Windows Shortcuts (LNK) files as part of a multi-stage procedure for deploying malware, said French cybersecurity company Harfanglab.
XDSPY is the name assigned to cyberspy since 2011, known for targeting government agencies in Eastern Europe and the Balkans. This was first documented in early 2020 by a Belarusian certificate.
In recent years, companies in Russia and Moldovan have been targeted by a variety of campaigns offering malware families such as UTASK, XDDown, and DSDownLoader, allowing additional payloads to be downloaded to steal sensitive information from compromised hosts.
Harfanglab said threat actors have been observed that exploit the remote code execution flaws in Microsoft Windows that are triggered when processing specially created LNK files. The vulnerability (ZDI-CAN-25373) was published by Trend Micro in March this year.
“Data created with LNK files can make dangerous content in the file unseen by users inspecting the file via the user interface provided by Windows,” said Trend Micro’s Zero Day Initiative (ZDI) at the time. “Attackators can exploit this vulnerability to run code in the context of the current user.”
Further analysis of LNK file artifacts utilizing ZDI-CAN-25373 discovered a small subset containing nine samples. This takes advantage of the confusing defective stem of LNK analysis as a result of Microsoft not implementing its own MS-Shlllink specification (version 8.0).
According to the specification, the maximum theoretical limit for the length of a string in an LNK file is the largest integer value that can be encoded within two bytes (i.e. 65,535 characters). However, the actual Windows 11 implementation limits the total saved text content to 259 characters, except for command line arguments.
“This leads to confusing situations where some LNK files are parsed differently in specifications and Windows, or even when LNK files that are invalid for each specification are actually valid for Microsoft Windows,” says Harfanglab.
“Because of this deviation from the specification, you can create specifically LNK files that appear to run a specific command line. They may also be disabled in Windows, following third-party parsers implementing the specification.”
The combination of Whitespace Padding issues with LNK parsing confusion is what attackers can take advantage of to hide commands running in both Windows UI and third-party parsers.
It is said that nine LNK files were distributed within the ZIP archive. Each of the latter contains a second ZIP archive containing a decoy PDF file, a legitimate but renamed executable, and an incorrect DLL that is sideloaded via a binary.
It is worth noting that this attack chain was documented by bi.zone in the later period last month. That’s because it was done by threat actors who are tracking as silent werewolves to infect Moldovan and Russian companies with malware.
DLL is a first-stage downloader called ETDownLoader, which is likely intended to deploy data collection implants called XDIGO based on infrastructure, victims, timing, tactics and tool overlap. Xdigo is rated as a new version of Malware (“usrrunvga.exe”), detailed by Kaspersky in October 2023.
Xdigo is a steeler that can harvest files, extract clipboard content, and capture screenshots. It also supports commands that execute commands or binary retrieved from remote servers via HTTP Get Requests. Data removal occurs via an HTTP POST request.
At least one confirmed target has been identified in the Minsk region, with other artifacts suggesting targeting Russian retail groups, financial institutions, large insurance companies and government postal services.
“This targeting profile is consistent with the historical pursuits of government agencies, particularly in Eastern Europe, and in Belarus, particularly in the region,” Harfanglab said.
“The focus of XDSPY is also demonstrated by its customized evasion capabilities. The malware is reported as the first malware to try to avoid detection from the Sandbox solution of PT Security, a Russian cybersecurity company that serves public and financial organizations in the Russian Federation.”
Source link
