{ "id": "6c96177d-1b24-4579-8cc3-a8ed60335309", "created_at": "2026-04-06T03:37:58.837403Z", "updated_at": "2026-04-10T13:11:32.460249Z", "deleted_at": null, "sha1_hash": "1f3b29019ed65f1d5ef302029610e26733c23ecb", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49915, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 02:50:30 UTC\r\n APT group: XDSpy\r\nNames XDSpy (ESET)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2011\r\nDescription\r\n(ESET) Rare is the APT group that goes largely undetected for nine years, but\r\nXDSpy is just that; a previously undocumented espionage group that has been active\r\nsince 2011. It has attracted very little public attention, with the exception of an\r\nadvisory from the Belarusian CERT in February 2020. In the interim, the group\r\ncompromised many government agencies and private companies in Eastern Europe\r\nand the Balkans.\r\nIn this paper, we present our analysis of this nine-year-long espionage campaign,\r\nactive since 2011, but which apparently went dark in February 2020.\r\nWith its primary purpose seemingly being cyber espionage, this group stole\r\ndocuments and other sensitive files, such as victims’ mailboxes. These outcomes\r\nwere achieved through the use of the XDSpy malware ecosystem, composed of at\r\nleast seven components: XDDown, XDRecon, XDList, XDMonitor, XDUpload,\r\nXDLoc and XDPass. As our research has not uncovered links with any previously\r\nknown APT groups, we have attributed this malware toolset to a previously\r\nunknown group.\r\nObserved\r\nSectors: Government.\r\nCountries: Belarus, Moldova, Russia, Serbia, Ukraine.\r\nTools used\r\nChromePass, IE PassView, MailPassView, Network Password Recovery,\r\nOperaPassView, PasswordFox, Protected Storage PassView, XDDown, XDList,\r\nXDLoc, XDMonitor, XDPass, XDRecon, XDUpload.\r\nOperations performed Jul 2024\r\nRussia, Moldova targeted by obscure hacking group in new\r\ncyberespionage campaign\r\n\u003chttps://therecord.media/russia-moldova-cyberespionage-campaign\u003e\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=647ee86f-5474-437c-b2e3-825424b0fd1c\r\nPage 1 of 2\n\nInformation\nLast change to this card: 27 August 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=647ee86f-5474-437c-b2e3-825424b0fd1c\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=647ee86f-5474-437c-b2e3-825424b0fd1c\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=647ee86f-5474-437c-b2e3-825424b0fd1c" ], "report_names": [ "showcard.cgi?u=647ee86f-5474-437c-b2e3-825424b0fd1c" ], "threat_actors": [ { "id": "69cba9ab-de35-4103-a699-7d243bcfd196", "created_at": "2023-01-06T13:46:39.159472Z", "updated_at": "2026-04-10T02:00:03.233731Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "MISPGALAXY:XDSpy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d69b3831-de95-42c9-b4b6-26232627206f", "created_at": "2022-10-25T16:07:24.429466Z", "updated_at": "2026-04-10T02:00:04.985102Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "ETDA:XDSpy", "tools": [ "ChromePass", "IE PassView", "MailPassView", "Network Password Recovery", "OperaPassView", "PasswordFox", "Protected Storage PassView", "XDDown", "XDList", "XDLoc", "XDMonitor", "XDPass", "XDRecon", "XDUpload" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446678, "ts_updated_at": 1775826692, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1f3b29019ed65f1d5ef302029610e26733c23ecb.pdf", "text": "https://archive.orkl.eu/1f3b29019ed65f1d5ef302029610e26733c23ecb.txt", "img": "https://archive.orkl.eu/1f3b29019ed65f1d5ef302029610e26733c23ecb.jpg" } }