SadFuture: Mapping XDSpy latest evolution
Essential information
- Published
- 26/06/2025 21:26
- Modified
- 27/06/2025 08:52
- Tags
- 2025-06-26 eastern europe etdownloader government infrastructure analysis lnk exploitation xdigo
- Related entities
- 134 observables, 1 intrusion sets (apt), 15 techniques (mitre), 2 malware, 4 others
Description
This report examines recent activities attributed to the XDSpy threat actor, focusing on an ongoing campaign targeting Eastern European and Russian governmental entities using the XDigo malware since March 2025. The investigation stemmed from analyzing a vulnerability in LNK files, leading to the discovery of a multi-stage infection chain. The report provides analysis of the XDigo implant and its connections to previous XDSpy activities. It also details the exploitation of LNK parsing issues and infrastructure used across different campaigns. The research uncovered additional, more recent XDSpy activity employing an alternative infection chain. Targets include government entities in Eastern Europe, with a confirmed victim in Belarus.