{ "id": "d793bb1a-1220-4c11-baac-ec37c55acd95", "created_at": "2026-04-06T00:09:04.106395Z", "updated_at": "2026-04-10T13:12:00.236906Z", "deleted_at": null, "sha1_hash": "59f94bcd09b389e593138049b78e89d6b360bc7f", "title": "XDSpy: Stealing government secrets since 2011", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1037550, "plain_text": "XDSpy: Stealing government secrets since 2011\r\nBy Matthieu Faou\r\nArchived: 2026-04-05 18:42:50 UTC\r\nRare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously\r\nundocumented espionage group that has been active since 2011. It has attracted very little public attention, with\r\nthe exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group has\r\ncompromised many government agencies and private companies in Eastern Europe and the Balkans.\r\nThis blogpost is a summary, with updated information about the compromise vectors and Indicators of\r\nCompromise, of research that we’ve presented at the Virus Bulletin 2020 conference (see the full paper and the\r\npresentation).\r\nTargets\r\nTargets of the XDSpy group are located in Eastern Europe and the Balkans and are primarily government entities,\r\nincluding militaries and Ministries of Foreign Affairs, and private companies. Figure 1 shows the location of\r\nknown victims according to ESET telemetry.\r\nFigure 1. Map of XDSpy victims according to ESET telemetry (Belarus, Moldova, Russia, Serbia and Ukraine)\r\nAttribution\r\nAfter careful research, we were not able to link XDSpy to any publicly known APT group:\r\nWe did not find any code similarity with other malware families.\r\nhttps://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/\r\nPage 1 of 10\n\nWe did not observe any overlap in the network infrastructure.\r\nWe are not aware of another APT group targeting these specific countries and verticals.\r\nMoreover, the group has been active for more than nine years. So, had such an overlap existed, we believe that it\r\nwould have been noticed, and the group uncovered, a long time ago.\r\nWe believe that the developers might be working in the UTC+2 or UTC+3 time zone, which is also the time zone\r\nof most of the targets. We also noticed they were only working from Monday to Friday, suggesting a professional\r\nactivity.\r\nCompromise vectors\r\nXDSpy operators mainly seem to use spearphishing emails in order to compromise their targets. In fact, this is the\r\nonly compromise vector that we have observed. However, the emails tend to vary a bit: some contain an\r\nattachment while others contain a link to a malicious file. The first layer of the malicious file or attachment is\r\ngenerally a ZIP or RAR archive.\r\nFigure 2 is an example of an XDSpy spearphishing email sent in February 2020.\r\nFigure 2. Spearphishing email sent by XDSpy's operators in February 2020\r\nRoughly translated, the body of the email says:\r\nGood afternoon!\r\nI am sending you a copy of the letter and photo materials based on the results of the work. Click on the link to\r\ndownload: photo materials_11.02.2020.zip\r\nWe are waiting for an answer until the end of the working day.\r\nThe link points to a ZIP archive that contains an LNK file, without any decoy document. When the victim double-clicks on it, the LNK downloads an additional script that installs XDDown, the main malware component.\r\nAfter our paper was submitted to Virus Bulletin, we continued to track the group and, after a pause between\r\nMarch and June 2020, they came back. At the end of June 2020, the operators stepped up their game by using a\r\nvulnerability in Internet Explorer, CVE-2020-0968, which had been patched in April 2020. Instead of delivering\r\nan archive with a LNK file, the C\u0026C server was delivering an RTF file that, once opened, downloaded an HTML\r\nfile exploiting the aforementioned vulnerability.\r\nhttps://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/\r\nPage 2 of 10\n\nCVE-2020-0968 is part of a set of similar vulnerabilities in the IE legacy JavaScript engine disclosed in the last\r\ntwo years. At the time it was exploited by XDSpy, no proof-of-concept and very little information about this\r\nspecific vulnerability was available online. We think that XDSpy either bought this exploit from a broker or\r\ndeveloped a 1-day exploit themselves by looking at previous exploits for inspiration.\r\nIt is interesting to note that this exploit bears similarities with exploits previously used in DarkHotel campaigns, as\r\nshown in Figure 3. It is also almost identical to the exploit used in Operation Domino in September 2020, which\r\nwas uploaded to VirusTotal from Belarus.\r\nGiven that we don’t believe XDSpy is linked to DarkHotel and that Operation Domino looks quite different from\r\nXDSpy, it is likely that the three groups share the same exploit broker.\r\nFigure 3. Parts of the exploit code, including the beginning, are similar to that used in a DarkHotel campaign\r\ndescribed by JPCERT\r\nFinally, the group jumped on the COVID-19 wagon at least twice in 2020. It first used this theme in a\r\nspearphishing campaign against Belarusian institutions in February 2020. Then, in September 2020, they reused\r\nthis theme against Russian-speaking targets. The archive contained a malicious Windows Script File (WSF) that\r\ndownloads XDDown, as shown in Figure 4, and they used official website rospotrebnadzor.ru as a decoy, as\r\nshown in Figure 5.\r\nhttps://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/\r\nPage 3 of 10\n\nFigure 4. Part of the script that downloads XDDown\r\nFigure 5. Part of the script that opens the decoy URL\r\nMalware components\r\nFigure 4 shows the malware architecture in a scenario where the compromise happens through a LNK file, as was\r\nthe case in February 2020.\r\nhttps://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/\r\nPage 4 of 10\n\nFigure 6. XDSpy’s malware architecture. XDLoc and XDPass are dropped in no particular order\r\nXDDown is the main malware component and is strictly a downloader. It persists on the system using the\r\ntraditional Run key. It downloads additional plugins from the hardcoded C\u0026C server using the HTTP protocol.\r\nThe HTTP replies contain PE binaries encrypted with a hardcoded two-byte XOR key.\r\nDuring our research, we discovered the following plugins:\r\nXDRecon: Gathers basic information about the victim machine (the computer name, the current username\r\nand the Volume Serial Number of the main drive).\r\nXDList: Crawls the C: drive for interesting files (.accdb, .doc, .docm, .docx, .mdb, .xls, .xlm, .xlsx, .xlsm,\r\n.odt, .ost, .ppt, .pptm, .ppsm, .pptx, .sldm, .pst, .msg, .pdf, .eml, .wab) and exfiltrates the paths of these\r\nfiles. It can also take screenshots.\r\nXDMonitor: Similar to XDList. It also monitors removable drives to exfiltrate the files matching an\r\ninteresting extension.\r\nXDUpload: Exfiltrates a hardcoded list of files from the filesystem to the C\u0026C server, as shown in Figure\r\n5. The paths were sent to the C\u0026C servers by XDList and XDMonitor.\r\nhttps://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/\r\nPage 5 of 10\n\nFigure 7. Loop uploading a hardcoded list of files to the C\u0026C server (partially redacted)\r\nXDLoc: Gathers nearby SSIDs (such as Wi-Fi access points), probably in order to geo-locate the victim\r\nmachines.\r\nXDPass: Grabs saved passwords from various applications such as web browsers and email programs.\r\nMore details about the various malware components can be found in the white paper.\r\nConclusion\r\nXDSpy is a cyberespionage group mostly undetected for more than nine years while being very busy over the past\r\nfew months. It is mostly interested in stealing documents from government entities in Eastern Europe and the\r\nBalkans. This targeting is quite unusual and makes it an interesting group to follow.\r\nThe group’s technical proficiency tends to vary a bit. It has used the same basic malware architecture for nine\r\nyears, but it also recently exploited a vulnerability patched by the vendor but for which no public proof-of-concept\r\nexists, a so-called 1-day exploit.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.\r\nSpecial thanks to Francis Labelle for his work on this investigation.\r\nIndicators of Compromise\r\nThe comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.\r\nMalware components\r\nhttps://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/\r\nPage 6 of 10\n\nSHA-1 ESET detection name Description\r\nC125A05CC87EA45BB5D5D07D62946DAEE1160F73 JS/TrojanDropper.Agent.OAZ\r\nSpearphishing\r\nemail (2015)\r\n99729AC323FC8A812FA2C8BE9AE82DF0F9B502CA LNK/TrojanDownloader.Agent.YJ\r\nMalicious\r\nLNK\r\ndownloader\r\n63B988D0869C6A099C7A57AAFEA612A90E30C10F Win64/Agent.VB XDDown\r\nBB7A10F816D6FFFECB297D0BAE3BC2C0F2F2FFC6 Win32/Agent.ABQB\r\nXDDown\r\n(oldest known\r\nsample)\r\n844A3854F67F4F524992BCD90F8752404DF1DA11 Win64/Spy.Agent.CC XDRecon\r\nB333043B47ABE49156195CC66C97B9F488E83442 Win64/Spy.Agent.CC XDUpload\r\n83EF84052AD9E7954ECE216A1479ABA9D403C36D Win64/Spy.Agent.CC XDUpload\r\n88410D6EB663FBA2FD2826083A3999C3D3BD07C9 Win32/Agent.ABYL XDLoc\r\nCFD43C7A993EC2F203B17A9E6B8B392E9A296243 Win32/PSW.Agent.OJS XDPass\r\n3B8445AA70D01DEA553A7B198A767798F52BB68A DOC/Abnormal.V\r\nMalicious\r\nRTF file that\r\ndownloads\r\nthe CVE-2020-0968\r\nexploit\r\nAE34BEDBD39DA813E094E974A9E181A686D66069 Win64/Agent.ACG XDDown\r\n5FE5EE492DE157AA745F3DE7AE8AA095E0AFB994 VBS/TrojanDropper.Agent.OLJ\r\nMalicious\r\nscript (Sep\r\n2020)\r\nB807756E9CD7D131BD42C2F681878C7855063FE2 Win64/Agent.AEJ\r\nXDDown\r\n(most recent\r\nas of writing)\r\nFilenames / Paths\r\n%APPDATA%\\Temp.NET\\archset.dat\r\n%APPDATA%\\Temp.NET\\hdir.dat\r\n%APPDATA%\\Temp.NET\\list.dat\r\n%TEMP%\\tmp%YEAR%%MONTH%%DAY%_%TICK_COUNT%.s\r\nhttps://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/\r\nPage 7 of 10\n\n%TEMP%\\fl637136486220077590.data\r\nwgl.dat\r\nWindows Broker Manager.dat\r\n%TEMP%\\Usermode COM Manager.dat\r\n%TEMP%\\Usermode COM Manager.exe\r\n%APPDATA%\\WINinit\\WINlogon.exe\r\n%APPDATA%\\msprotectexp\\mswinexp.exe\r\n%APPDATA%\\msvdemo\\msbrowsmc.exe\r\n%APPDATA%\\Explorer\\msdmcm6.exe\r\n%APPDATA%\\Explorer\\browsms.exe\r\nNetwork\r\nUsed in 2019-2020\r\ndownloadsprimary[.]com\r\nfiledownload[.]email\r\nfile-download[.]org\r\nminisnowhair[.]com\r\ndownload-365[.]com\r\n365downloading.com\r\nofficeupdtcentr[.]com\r\ndropsklad[.]com\r\ngetthatupdate[.]com\r\nboborux[.]com\r\neasytosay[.]org\r\ndaftsync[.]com\r\ndocumentsklad[.]com\r\nwildboarcontest[.]com\r\nnomatterwhat[.]info\r\nmaiwegwurst[.]com\r\nmigration-info[.]com\r\njerseygameengine[.]com\r\nseatwowave[.]com\r\ncracratutu[.]com\r\nchtcc[.]net\r\nferrariframework[.]com\r\nOld network infrastructure\r\n62.213.213[.]170\r\n93.63.198[.]40\r\n95.215.60[.]53\r\nhttps://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/\r\nPage 8 of 10\n\nforgeron[.]tk\r\njahre999[.]tk\r\nomgtech.000space[.]com\r\npodzim[.]tk\r\nporfavor876[.]tk\r\nreplacerc.000space[.]com\r\nsettimana987[.]tk\r\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 7 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial Access\r\nT1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nXDSpy has sent spearphishing emails with a\r\nmalicious attachment.\r\nT1566.002\r\nPhishing: Spearphishing\r\nLink\r\nXDSpy has sent spearphishing emails with a\r\nlink to a malicious archive.\r\nExecution\r\nT1203\r\nExploitation for Client\r\nExecution\r\nXDSpy has exploited a vulnerability (CVE-2020-0968) in Internet Explorer (triggered\r\nby a malicious RTF file).\r\nT1204.001\r\nUser Execution:\r\nMalicious Link\r\nXDSpy has lured targets to download\r\nmalicious archives containing malicious\r\nfiles such as LNK.\r\nT1204.002\r\nUser Execution:\r\nMalicious File\r\nXDSpy has lured targets to execute\r\nmalicious files such as LNK or RTF.\r\nPersistence T1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run\r\nKeys / Startup Folder\r\nXDDownload persists using the Run key.\r\nDiscovery\r\nT1033\r\nSystem Owner/User\r\nDiscovery\r\nXDRecon sends the username to the C\u0026C\r\nserver.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nXDRecon sends the computer name and the\r\nmain drive Volume Serial Number to the\r\nC\u0026C server.\r\nT1083 File and Directory\r\nDiscovery\r\nXDList and XDMonitor monitor the local\r\nsystem and the removable drive. A list of\r\ninteresting paths, that matches a list of\r\nhttps://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/\r\nPage 9 of 10\n\nTactic ID Name Description\r\nhardcoded extension, is sent to the C\u0026C\r\nserver.\r\nCollection\r\nT1005 Data from Local System\r\nXDUpload exfiltrates files from the local\r\ndrive. The paths of the files to be uploaded\r\nare hardcoded in the malware samples.\r\nT1025\r\nData from Removable\r\nMedia\r\nXDMonitor exfiltrates files from removable\r\ndrives.\r\nT1113 Screen Capture\r\nXDList, XDMonitor and XDUpload take\r\nscreenshots and send them to the C\u0026C\r\nserver.\r\nT1119 Automated Collection\r\nXDMonitor exfiltrates files from removable\r\ndrives that match specific extensions.\r\nXDUpload exfiltrates local files that are\r\nlocated at one the paths hardcoded in the\r\nmalware samples.\r\nCommand\r\nand Control\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nXDSpy uses HTTP for command and\r\ncontrol.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nXDDownload downloads additional\r\ncomponents encrypted with a 2-byte static\r\nXOR key.\r\nExfiltration T1020 Automated Exfiltration\r\nXDMonitor and XDUpload automatically\r\nexfiltrate collected files.\r\nT1041\r\nExfiltration\r\nOver C2\r\nChannel\r\nXDSpy exfiltrate stolen\r\ndata using the C\u0026C\r\nchannel.\r\nSource: https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/\r\nhttps://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/" ], "report_names": [ "xdspy-stealing-government-secrets-since-2011" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "69cba9ab-de35-4103-a699-7d243bcfd196", "created_at": "2023-01-06T13:46:39.159472Z", "updated_at": "2026-04-10T02:00:03.233731Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "MISPGALAXY:XDSpy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "d69b3831-de95-42c9-b4b6-26232627206f", "created_at": "2022-10-25T16:07:24.429466Z", "updated_at": "2026-04-10T02:00:04.985102Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "ETDA:XDSpy", "tools": [ "ChromePass", "IE PassView", "MailPassView", "Network Password Recovery", "OperaPassView", "PasswordFox", "Protected Storage PassView", "XDDown", "XDList", "XDLoc", "XDMonitor", "XDPass", "XDRecon", "XDUpload" ], "source_id": "ETDA", "reports": null }, { "id": "17149e38-d8e7-4f06-998e-3b715064fefd", "created_at": "2022-10-25T16:07:23.942042Z", "updated_at": "2026-04-10T02:00:04.800862Z", "deleted_at": null, "main_name": "Operation Domino", "aliases": [ "Operation Domino", "Operation Kremlin" ], "source_name": "ETDA:Operation Domino", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434144, "ts_updated_at": 1775826720, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/59f94bcd09b389e593138049b78e89d6b360bc7f.pdf", "text": "https://archive.orkl.eu/59f94bcd09b389e593138049b78e89d6b360bc7f.txt", "img": "https://archive.orkl.eu/59f94bcd09b389e593138049b78e89d6b360bc7f.jpg" } }