Go-Based Malware XDigo Targets Eastern European Governments
Cybersecurity experts have recently identified a new malware named XDigo, which has been implicated in attacks against governmental entities in Eastern Europe as early as March 2025. This malware employs a sophisticated multi-stage attack strategy, utilizing Windows shortcut (LNK) files to initiate its deployment, according to a report from the French cybersecurity firm HarfangLab.
Background on XDSpy and Its Evolution
XDSpy has been a persistent threat since its inception, known to target government agencies in Eastern Europe and the Balkans. The malware was first observed in 2011 and documented in 2020 by the Belarusian Computer Emergency Response Team (CERT). Over the years, various malware campaigns, particularly in Russia and Moldova, have included other families like UTask, XDDown, and DSDownloader, designed to extract sensitive information from compromised systems.
Exploiting Windows Vulnerabilities
HarfangLab has noted that the latest attack vectors exploit a remote code execution vulnerability in Microsoft Windows, specifically when it processes maliciously crafted LNK files. This flaw, identified as ZDI-CAN-25373 and disclosed by Trend Micro in March, allows attackers to execute code in the context of the current user—without the user’s knowledge.
According to Trend Micro’s Zero Day Initiative, the carefully crafted data within these LNK files can obscure harmful content, making it challenging for users to detect potential threats. This level of deception raises serious security concerns, especially in institutions that rely on Windows operating systems.
Technical Insights into LNK Files
A closer inspection into how these LNK files operate reveals that a subset of nine samples exploits the discrepancies in Microsoft’s implementation of the LNK parsing specification. While the theoretical maximum string length for LNK files is 65,535 characters, Windows 11 restricts text content to 259 characters unless command-line arguments are involved. This inconsistency can lead to confusion, allowing attackers to create LNK files that appear functional according to the Windows environment but may not comply with third-party parsers.
This parsing discrepancy becomes a tool for attackers, enabling them to conceal command execution from both users and external parsers. The nine harmful LNK files were found within ZIP files that included additional ZIP archives containing what appeared to be benign PDF files, legitimate executables with altered names, and a rogue DLL file, which is installed alongside the genuine software.
Pathway and Purpose of XDigo
The threat actor behind these attacks has been tracked by a security group known as Silent Werewolf, which claims responsibility for infecting Moldovan and Russian organizations. The malicious DLL acts as a downloader known as ETDownloader, designed to ultimately install the XDigo data collection tool.
XDigo itself specializes in data theft, capable of harvesting files, copying clipboard content, creating screenshots, and executing commands fetched from remote servers. The malware sends exfiltrated data through HTTP POST requests, adding another layer of complexity to cybersecurity defenses.
Target Identification and Historical Context
Initial evidence has pinpointed at least one confirmed target in the Minsk region, while additional artifacts indicate that potential victims include Russian retail groups, financial institutions, large insurance firms, and government postal services. The targeting pattern reflects XDSpy’s historical focus on governmental entities throughout Eastern Europe and Belarus in particular.
The adaptability and evasion techniques associated with XDSpy are highlighted by its unique ability to avoid detection, as reported previously. This is particularly evident in how it was the first malware to outsmart PT Security’s Sandbox, a cybersecurity service for public and financial organizations in Russia.
Conclusion
The emergence of XDigo represents a significant escalation in cyber threats against government infrastructures in Eastern Europe. By exploiting existing vulnerabilities and showcasing a refined execution strategy, XDigo underlines the ongoing challenges in cybersecurity preparedness and response, highlighting the need for heightened awareness and robust defensive measures against such sophisticated attacks.
