{
	"id": "94773e0b-c95b-499a-b7fd-3f274e0245f5",
	"created_at": "2026-04-06T00:14:17.661856Z",
	"updated_at": "2026-04-10T03:34:27.700221Z",
	"deleted_at": null,
	"sha1_hash": "84cbf842961589bddf5b1bdd58b4149f77bda4bf",
	"title": "XDSpy hackers attack military-industrial companies in Russia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 81698,
	"plain_text": "XDSpy hackers attack military-industrial companies in Russia\r\nBy Daryna Antoniuk\r\nPublished: 2023-12-01 · Archived: 2026-04-05 21:46:28 UTC\r\nA cyberespionage group known as XDSpy recently targeted Russian military-industrial enterprises, according to\r\nnew research.\r\nXDSpy is believed to be a state-controlled threat actor, active since 2011, that primarily attacks countries in\r\nEastern Europe and the Balkans. In its latest campaign in November, hackers attempted to gain access to the\r\nsystems of a Russian metallurgical enterprise and a research institute involved in the development and production\r\nof guided missile weapons, according to Russian cybersecurity firm F.A.C.C.T.\r\nIn a report published earlier this week, F.A.C.C.T. — an offshoot of Singapore-based cybersecurity firm Group IB\r\n— said that hackers sent phishing emails to their victims, masquerading as a research institute specializing in the\r\ndesign of nuclear weapons.\r\nThe group’s tactics mirrored their previous attack on Russian companies, including a well-known research\r\ninstitute in July. During that incident, the hackers posed as Russia’s Ministry of Emergency Situations, sending\r\nphishing letters containing malicious PDF attachments. Researchers didn’t disclose whether the hackers managed\r\nto penetrate the victims’ systems and steal data.\r\nF.A.C.C.T. claimed that Russia is the primary target of XDSpy hackers. The group has previously targeted the\r\ncountry’s government, military, and financial institutions, along with energy, research, and mining companies,\r\nresearchers said.\r\nAlthough the group has been active for years, there is limited evidence of its attacks on Russia, especially since\r\nmany foreign cybersecurity firms exited the country following its invasion of Ukraine.\r\nSlovak-based cybersecurity firm ESET has monitored XDSpy’s activity since 2020 and researcher Matthieu Faou\r\ntold Recorded Future News that the group has consistently conducted spearphishing campaigns that mainly target\r\nstrategic organizations in Eastern Europe.\r\nAfter exiting Russia and Belarus — both targets of XDSpy — ESET lost first-hand visibility into cyberattacks\r\noccurring in these countries. However, last week, the company said it detected the group's attack on a Ukrainian\r\naerospace company.\r\nIn this attack, which was not publicly reported by Ukrainian security agencies and was likely unsuccessful,\r\nhackers used a compromise chain almost identical to the one described by F.A.C.C.T. \"We do agree with their\r\nanalysis and also attribute this to XDSpy,\" Faou said.\r\nDespite the group's long history, researchers have been unable to identify the country backing it. XDSpy doesn’t\r\noperate a particularly sophisticated toolkit, but “they have a very decent operational security,” according to Faou.\r\n“So far, we haven’t found any mistake that could point toward a specific country.”\r\nhttps://therecord.media/xdspy-hackers-target-russian-military-industrial-companies\r\nPage 1 of 3\n\n“They are putting quite a lot of effort into the obfuscation of their implants, in order to try to evade security\r\nsolutions. As such, it is likely they have a decent percentage of success, even if we have been able to track their\r\noperations in the long run,” he added.\r\nCyberttacks on Russia\r\nReports on cyberattacks against Russia are rare, given that many Western companies have limited visibility into\r\ncomputer systems in the region.\r\nThis week, however, has been rich with reports from Russian cybersecurity firms. In addition to XDSpy’s attack,\r\nF.A.C.C.T. recorded a cyberattack on Russian banks, telecom operators, logistics, and tech companies using\r\nDarkWatchman malware. The hackers disguised a phishing email as a newsletter from a Russian courier delivery\r\nservice. The results of these attacks are unknown.\r\nAnother cyberattack was conducted by a new hacker group, Hellhounds, according to the Russian cybersecurity\r\ncompany Positive Technologies, which has been sanctioned by the U.S. Hellhounds has already compromised at\r\nleast 20 Russian organizations, including government agencies, tech companies, and space and energy enterprises.\r\nCybersecurity firm BI.ZONE also recorded attacks conducted by Rare Wolf hackers. Since 2019, the group has\r\nattacked nearly 400 Russian companies, researchers said.\r\nThese reports do not disclose which countries are behind the attacks on Russia. However, in a report in November,\r\nresearchers at the cybersecurity firm Solar said that the majority of state-sponsored cyberattacks against Russia\r\noriginate from North Korea and China, with a primary interest in data theft.\r\nhttps://therecord.media/xdspy-hackers-target-russian-military-industrial-companies\r\nPage 2 of 3\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/xdspy-hackers-target-russian-military-industrial-companies\r\nhttps://therecord.media/xdspy-hackers-target-russian-military-industrial-companies\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/xdspy-hackers-target-russian-military-industrial-companies"
	],
	"report_names": [
		"xdspy-hackers-target-russian-military-industrial-companies"
	],
	"threat_actors": [
		{
			"id": "69cba9ab-de35-4103-a699-7d243bcfd196",
			"created_at": "2023-01-06T13:46:39.159472Z",
			"updated_at": "2026-04-10T02:00:03.233731Z",
			"deleted_at": null,
			"main_name": "XDSpy",
			"aliases": [],
			"source_name": "MISPGALAXY:XDSpy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d69b3831-de95-42c9-b4b6-26232627206f",
			"created_at": "2022-10-25T16:07:24.429466Z",
			"updated_at": "2026-04-10T02:00:04.985102Z",
			"deleted_at": null,
			"main_name": "XDSpy",
			"aliases": [],
			"source_name": "ETDA:XDSpy",
			"tools": [
				"ChromePass",
				"IE PassView",
				"MailPassView",
				"Network Password Recovery",
				"OperaPassView",
				"PasswordFox",
				"Protected Storage PassView",
				"XDDown",
				"XDList",
				"XDLoc",
				"XDMonitor",
				"XDPass",
				"XDRecon",
				"XDUpload"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2603d977-6e3a-4269-ba49-b5a85c943641",
			"created_at": "2024-06-26T02:00:04.847439Z",
			"updated_at": "2026-04-10T02:00:03.666442Z",
			"deleted_at": null,
			"main_name": "HellHounds",
			"aliases": [],
			"source_name": "MISPGALAXY:HellHounds",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434457,
	"ts_updated_at": 1775792067,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84cbf842961589bddf5b1bdd58b4149f77bda4bf.pdf",
		"text": "https://archive.orkl.eu/84cbf842961589bddf5b1bdd58b4149f77bda4bf.txt",
		"img": "https://archive.orkl.eu/84cbf842961589bddf5b1bdd58b4149f77bda4bf.jpg"
	}
}