Cybersecurity researchers have uncovered a Go-based malware referred to as XDigo that has been utilized in assaults focusing on Japanese European governmental entities in March 2025.
The assault chains are stated to have leveraged a set of Home windows shortcut (LNK) recordsdata as a part of a multi-stage process to deploy the malware, French cybersecurity firm HarfangLab stated.
XDSpy is the title assigned to a cyber espionage that is identified to focus on authorities businesses in Japanese Europe and the Balkans since 2011. It was first documented by the Belarusian CERT in early 2020.
Lately, corporations in Russia and Moldova have been focused by varied campaigns to ship malware households like UTask, XDDown, and DSDownloader that may obtain extra payloads and steal delicate data from compromised hosts.
HarfangLab stated it noticed the menace actor leveraging a distant code execution flaw in Microsoft Home windows that is triggered when processing specifically crafted LNK recordsdata. The vulnerability (ZDI-CAN-25373) was publicly disclosed by Development Micro earlier this March.
“Crafted knowledge in an LNK file could cause hazardous content material within the file to be invisible to a consumer who inspects the file by way of the Home windows-provided consumer interface,” Development Micro’s Zero Day Initiative (ZDI) stated on the time. “An attacker can leverage this vulnerability to execute code within the context of the present consumer.”
Additional evaluation of the LNK file artifacts that exploit ZDI-CAN-25373 has uncovered a smaller subset comprising 9 samples, which benefit from an LNK parsing confusion flaw stemming because of Microsoft not implementing its personal MS-SHLLINK specification (model 8.0).
In accordance with the spec, the utmost theoretical restrict for the size of a string inside LNK recordsdata is the best integer worth that may be encoded inside two bytes (i.e., 65,535 characters). Nevertheless, the precise Home windows 11 implementation limits the whole saved textual content content material to 259 characters aside from command-line arguments.
“This results in complicated conditions, the place some LNK recordsdata are parsed in another way per specification and in Home windows, and even that some LNK recordsdata which ought to be invalid per specification are literally legitimate to Microsoft Home windows,” HarfangLab stated.
“Due to this deviation from the specification, one can particularly craft an LNK file which seemingly executes a sure command line and even be invalid in keeping with third-party parsers implementing the specification, whereas executing one other command line in Home windows.”
A consequence of mixing the whitespace padding concern with the LNK parsing confusion is that it may be leveraged by attackers to cover the command that is being executed on each Home windows UI and third-party parsers.
The 9 LNK recordsdata are stated to have been distributed inside ZIP archives, with every of the latter containing a second ZIP archive that features a decoy PDF file, a reputable however renamed executable, and a rogue DLL that is sideloaded by way of the binary.
It is price noting this assault chain was documented by BI.ZONE late final month as performed by a menace actor it tracks as Silent Werewolf to contaminate Moldovan and Russian corporations with malware.
The DLL is a first-stage downloader dubbed ETDownloader that, in flip, is probably going meant to deploy a knowledge assortment implant known as XDigo based mostly on infrastructure, victimology, timing, techniques, and tooling overlaps. XDigo is assessed to be a more moderen model of malware (“UsrRunVGA.exe”) that was detailed by Kaspersky in October 2023.
XDigo is a stealer that may harvest recordsdata, extract clipboard content material, and seize screenshots. It additionally helps instructions to execute a command or binary retrieved from a distant server over HTTP GET requests. Data exfiltration happens by way of HTTP POST requests.
No less than one confirmed goal has been recognized within the Minsk area, with different artifacts suggesting the focusing on of Russian retail teams, monetary establishments, giant insurance coverage corporations, and governmental postal providers.
“This focusing on profile aligns with XDSpy’s historic pursuit of presidency entities in Japanese Europe and Belarus specifically,” HarfangLab stated.
“XDSpy’s focus can be demonstrated by its custom-made evasion capabilities, as their malware was reported as the primary malware trying to evade detection from PT Safety’s Sandbox answer, a Russian cybersecurity firm offering service to public and monetary organizations within the Russian Federation.”
