{
	"id": "06c55331-fdd2-4c80-b3e4-bb68f6cf6e1b",
	"created_at": "2026-04-06T03:35:54.079938Z",
	"updated_at": "2026-04-10T13:12:48.462477Z",
	"deleted_at": null,
	"sha1_hash": "c828556c2446e6f91173aef1b27a913b0588db05",
	"title": "Russia, Moldova targeted by obscure hacking group in new cyberespionage campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75504,
	"plain_text": "Russia, Moldova targeted by obscure hacking group in new\r\ncyberespionage campaign\r\nBy Daryna Antoniuk\r\nPublished: 2024-07-30 · Archived: 2026-04-06 02:52:26 UTC\r\nA cyberespionage group known as XDSpy recently targeted victims in Russia and Moldova with a new malware\r\nvariant, researchers have found.\r\nIn a campaign earlier this month, the suspected nation state-linked group sent phishing emails to targets in Russia,\r\nincluding a tech company that develops software for cash registers, as well as to an unidentified organization in\r\nTransnistria, the Russian-controlled breakaway region in Moldova.\r\nThe malicious emails, discovered by Russian cybersecurity firm F.A.C.C.T., contained a link to an archive with a\r\nlegitimate executable file, which allowed attackers to run malicious code without raising suspicion.\r\nDuring these attacks, the hackers used a previously unknown tool, which the researchers called\r\nXDSpy.DSDownloader. F.A.C.C.T. didn’t disclose whether the hackers managed to penetrate the victims’ systems\r\nand steal data.\r\nXDSpy is believed to be a state-controlled threat actor, active since 2011, that primarily attacks countries in\r\nEastern Europe and the Balkans. Despite the group's long history, researchers have been unable to identify the\r\ncountry backing it.\r\nMost of XDSpy's targets are related to the military, finance, energy, research and mining industries in Russia,\r\naccording to F.A.C.C.T.\r\nEarlier in December, the group targeted a Russian metallurgical enterprise and a research institute involved in the\r\ndevelopment and production of guided missile weapons. In an attack last July, the hackers sent phishing letters\r\nwith malicious PDF attachments to an unnamed but “well-known” research institute.\r\nXDSpy doesn’t operate a particularly sophisticated toolkit, but “they have very decent operational security,”\r\nresearchers at cybersecurity firm ESET told Recorded Future News in a previous interview.\r\n“They are putting quite a lot of effort into the obfuscation of their implants in order to try to evade security\r\nsolutions. As such, it is likely they have a decent percentage of success, even if we have been able to track their\r\noperations in the long run,” ESET said.\r\nhttps://therecord.media/russia-moldova-cyberespionage-campaign\r\nPage 1 of 2\n\nNo previous article\r\nNo new articles\r\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/russia-moldova-cyberespionage-campaign\r\nhttps://therecord.media/russia-moldova-cyberespionage-campaign\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/russia-moldova-cyberespionage-campaign"
	],
	"report_names": [
		"russia-moldova-cyberespionage-campaign"
	],
	"threat_actors": [
		{
			"id": "69cba9ab-de35-4103-a699-7d243bcfd196",
			"created_at": "2023-01-06T13:46:39.159472Z",
			"updated_at": "2026-04-10T02:00:03.233731Z",
			"deleted_at": null,
			"main_name": "XDSpy",
			"aliases": [],
			"source_name": "MISPGALAXY:XDSpy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d69b3831-de95-42c9-b4b6-26232627206f",
			"created_at": "2022-10-25T16:07:24.429466Z",
			"updated_at": "2026-04-10T02:00:04.985102Z",
			"deleted_at": null,
			"main_name": "XDSpy",
			"aliases": [],
			"source_name": "ETDA:XDSpy",
			"tools": [
				"ChromePass",
				"IE PassView",
				"MailPassView",
				"Network Password Recovery",
				"OperaPassView",
				"PasswordFox",
				"Protected Storage PassView",
				"XDDown",
				"XDList",
				"XDLoc",
				"XDMonitor",
				"XDPass",
				"XDRecon",
				"XDUpload"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446554,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c828556c2446e6f91173aef1b27a913b0588db05.pdf",
		"text": "https://archive.orkl.eu/c828556c2446e6f91173aef1b27a913b0588db05.txt",
		"img": "https://archive.orkl.eu/c828556c2446e6f91173aef1b27a913b0588db05.jpg"
	}
}