Cybersecurity researchers found malware based on Go called Xdigo, used in attacks aimed at the Eastern European State Structure in March 2025.
It is said that the attack chains are using the Windows Quick Access Collection (Lnk) Files within a multi -stage procedure for deployment of malware, French Cybersecurity Harfanglab – Note.
XDSPY – This is the name appointed Cyber -spanning, which is known to focus on state bodies in Eastern Europe and the Balkans since 2011. It was first recorded by the Belarusian certificate in early 2020.
In recent years, companies in Russia and Moldova have been aimed at different delivery companies such as Utask, XDDown and DSDownloader, which can load additional useful loads and steal sensitive information from the broken hosts.
Harfanglab said there was an actor threatening the lack of remote code in Microsoft Windows, which is triggered when processing specially designed LNK files. Vulnerability (Are-CAN-25373) was publicly disclosed by Trend Micro in early this March.
“The data created in the LNK file can lead to dangerous content in an invisible file, which conducts a file through the Windows user interface,” said Trend Micro’s Nero Day Initiative (ZDI). “The attacker can use this vulnerability to perform the code in the context of the current user.”
Further analysis of the LNK files that exploit the ZDI-CAN-25373, revealed less subsidiary containing nine samples that use the lack of confusion of LNK, which is the result when Microsoft does not realize its own own own MS-Shllink Specification (Version 8.0).
According to specification, the maximum theoretical limit on the length of the line in the files of LNK is the greatest value that can be loot within Two bytes (ie 65 535 characters). However, the actual implementation of Windows 11 limits the total restrained text content to 259 characters, except for the command line arguments.
“This leads to confusing situations when some LNK files are disassembled by specification and Windows, or even some LNK files that should be invalid by specification, actually act for Microsoft Windows,” said Harfanglab.
“From this deviation from the specification, you can specifically create a LNK file, which seems to execute a certain command line or even invalid according to third tips that implement the specification by following another command line in Windows.”
The consequence of the combination of the jogging problem with the confusion of LNK is that the attackers can be used to hide the command that is performed both in the Windows and other parties user interface.
Nine files are said to be distributed in the ZIP archives, each of the latter contains the second Zip archive, which includes a PDF file, legitimate, but renamed file, and Rogue Dll, which is loaded through the binary.
It is worth noting that this attack chain was recorded by BI.zone late last month, which was conducted by the actor threats he track The silent werewolf Infect Moldovan and Russian companies on malware.
DL-is the first stage of the bootloader, dubbed the Etdownloader, which, in turn, can deploy the implant data collection called Xdigo based on infrastructure, ascertaining, terms, tactics and overlapping tools. Xdigo is rated as a newer version of malware (“USRRUNVGA.EXE”) that was minute Caspersorski in October 2023.
Xdigo – this steal This can prepare the files, extract the contents of the buffer and shoot screenshots. It also supports teams to execute a team or binary obtained from a remote server via HTTP Get Edques. The data of the data is used using the HTTP POST requests.
At least one confirmed goal was identified in the Minsk region, and other artifacts involve orientation to Russian retail groups, financial institutions, large insurance companies and government postal services.
“This oriented profile is in line with the historical aspirations for the XDSPY government organizations in Eastern Europe and Belarus,” Harfanglab said.
“Focus XDSPY is also demonstrated by its individual evasion, as their malicious software has been reported as the first malicious software that tries to avoid the detection of PT security Sandbox’s decisionA Russian cybersecurity company providing services to state and financial organizations in the Russian Federation. “
