The persistent state-aligned threat group XDSpy has been observed exploiting a zero-day vulnerability (ZDI-CAN-25373) in Microsoft Windows LNK file handling.
This flaw, discovered amid XDSpy’s campaign in March 2025, enables malicious actors to obscure executed commands within specifically crafted shortcut (.lnk) files, evading both user scrutiny and many security tools.
The ongoing campaign predominantly targets government and institutional entities in Eastern Europe, with confirmed infections in Belarus and strong indications of a broader regional focus.
Technical Exploitation of Windows LNK Weakness
The core of the campaign leverages the ZDI-CAN-25373 vulnerability a bug in how Windows Explorer displays LNK target paths and command-line arguments.
By padding arguments with excessive whitespace and certain ASCII control characters, attackers can push malicious execution directives out of visible range in the UI, preventing administrators and analysts from easily detecting suspicious activity through standard file property dialogs.
Notably, XDSpy’s LNK files are engineered to take advantage of inconsistencies between Microsoft’s official MS-SHLLINK parsing specification and the actual Windows implementation, further thwarting third-party forensic tools that follow the documented standard.
Specifically, when the total command length reaches the Windows-imposed 259-character limit and is suffixed with at least 78 spaces, arguments are concealed, but still interpreted and executed by the OS.
According to Harfang Labs Report, this enables stealthy delivery of complex payloads while presenting benign or empty targets to the user.
Multi-Stage Infection Chain
XDSpy’s infection chain begins with spear-phishing emails containing ZIP archives named in Russian, typically embedding a decoy document and a malicious LNK file.
Upon user interaction, the LNK launches a legitimate signed Microsoft executable, which sideloads a first-stage downloader DLL (ETDownloader, typically named d3d9.dll).
This loader establishes persistence, opens decoy content to distract the user, and retrieves a second-stage payload a Go-based data exfiltration implant known as XDigo.
The attack flow exhibits a high level of automation and anti-detection measures:
- Stage 1: The sideloaded ETDownloader downloads and decodes the XDigo implant, moves itself and its components to hidden locations, and sets up Windows startup persistence.
- Stage 2: XDigo conducts extensive anti-analysis checks, collects sensitive files (Office documents, archives, desktop TXT files), clipboard data, and screenshots, then exfiltrates this information to remote command-and-control (C2) infrastructure over HTTPS. It can also execute arbitrary commands issued by the operators via encrypted C2 communications.
Importantly, the campaign uses infrastructure that overlaps with previously attributed XDSpy operations, including consistent use of Russian-themed domain naming for distribution and random English-themed names for C2, often hosted through commercial VPS and CDN providers using Let’s Encrypt certificates.
XDSpy’s focus on government, economic, and infrastructure-related institutions in Belarus and neighboring regions aligns with previously documented objectives.
The group’s technical sophistication from exploitation of zero-day UI bugs to custom sideloading and anti-sandbox techniques underscores their capabilities and dedication to operational security.
Despite limited public reporting in Western cybersecurity circles, these ongoing campaigns highlight the continued risk posed by advanced persistent threat actors leveraging both software flaws and intricate social engineering.
The discovery and analysis of these attacks were facilitated by cross-referencing malware samples, infrastructure pivots, and forensic data from both public scanners and targeted victim environments.
Notably, the campaign remains active, with ongoing infrastructure updates and fresh, evolving malware samples.
Indicators of Compromise (IOCs)
| Type | Indicator (SHA-256 or Domain) | Description/Role |
|---|---|---|
| ZIP Archive | a28ee84bfbad9107ad39802e25c24ae0eaa00a870eca09039076a0360dcbd869 | Malicious ZIP (dokazatelstva.zip) |
| ZIP Archive | 4f1d5081adf8ceed3c3daaaa3804e5a4ac2e964ec90590e716bc8b34953083e8 | Malicious ZIP (dokazatelstva.zip) |
| LNK File | 65209053f042e428b64f79ea8f570528beaa537038aa3aa50a0db6846ba8d2ec | Malicious LNK (проект_00252053.lnk) |
| ETDownloader | 792c5a2628ec1be86e38b0a73a44c1a9247572453555e7996bb9d0a58e37b62b | Stage 1 DLL (d3d9.dll) |
| XDigo Go | 0d983f5fb403b500ec48f13a951548d5a10572fde207cf3f976b9daefb660f7e | Go-based Stage 2 implant |
| C2 Domain | quan-miami[.]com | XDigo C2 |
| Distribution | pdf-bazaar[.]com | Payload distribution |
| Distribution | vashazagruzka365[.]com | Payload distribution |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
