Cybersecurity researchers have uncovered a Go-based malware called XDigo that has been used in attacks targeting Eastern European governmental entities in March 2025.
The attack chains are said to have leveraged a collection of Windows shortcut (LNK) files as part of a multi-stage procedure to deploy the malware, French cybersecurity company HarfangLab said.
XDSpy is the name assigned to a cyber espionage that’s known to target government agencies in Eastern Europe and the Balkans since 2011. It was first documented by the Belarusian CERT in early 2020.
In recent years, companies in Russia and Moldova have been targeted by various campaigns to deliver malware families like UTask, XDDown, and DSDownloader that can download additional payloads and steal sensitive information from compromised hosts.
HarfangLab said it observed the threat actor leveraging a remote code execution flaw in Microsoft Windows that’s triggered when processing specially crafted LNK files. The vulnerability (ZDI-CAN-25373) was publicly disclosed by Trend Micro earlier this March.
“Crafted data in an LNK file can cause hazardous content in the file to be invisible to a user who inspects the file via the Windows-provided user interface,” Trend Micro’s Zero Day Initiative (ZDI) said at the time. “An attacker can leverage this vulnerability to execute code in the context of the current user.”
Further analysis of the LNK file artifacts that exploit ZDI-CAN-25373 has uncovered a smaller subset comprising nine samples, which take advantage of an LNK parsing confusion flaw stemming as a result of Microsoft not implementing its own MS-SHLLINK specification (version 8.0).
According to the spec, the maximum theoretical limit for the length of a string within LNK files is the greatest integer value that can be encoded within two bytes (i.e., 65,535 characters). However, the actual Windows 11 implementation limits the total stored text content to 259 characters with the exception of command-line arguments.
“This leads to confusing situations, where some LNK files are parsed differently per specification and in Windows, or even that some LNK files which should be invalid per specification are actually valid to Microsoft Windows,” HarfangLab said.
“Because of this deviation from the specification, one can specifically craft an LNK file which seemingly executes a certain command line or even be invalid according to third party parsers implementing the specification, while executing another command line in Windows.”
A consequence of combining the whitespace padding issue with the LNK parsing confusion is that it can be leveraged by attackers to hide the command that’s being executed on both Windows UI and third-party parsers.
The nine LNK files are said to have been distributed within ZIP archives, with each of the latter containing a second ZIP archive that includes a decoy PDF file, a legitimate but renamed executable, and a rogue DLL that’s sideloaded via the binary.
It’s worth noting this attack chain was documented by BI.ZONE late last month as conducted by a threat actor it tracks as Silent Werewolf to infect Moldovan and Russian companies with malware.
The DLL is a first-stage downloader dubbed ETDownloader that, in turn, is likely meant to deploy a data collection implant referred to as XDigo based on infrastructure, victimology, timing, tactics, and tooling overlaps. XDigo is assessed to be a newer version of malware (“UsrRunVGA.exe”) that was detailed by Kaspersky in October 2023.
XDigo is a stealer that can harvest files, extract clipboard content, and capture screenshots. It also supports commands to execute a command or binary retrieved from a remote server over HTTP GET requests. Data exfiltration occurs via HTTP POST requests.
At least one confirmed target has been identified in the Minsk region, with other artifacts suggesting the targeting of Russian retail groups, financial institutions, large insurance companies, and governmental postal services.
“This targeting profile aligns with XDSpy’s historical pursuit of government entities in Eastern Europe and Belarus in particular,” HarfangLab said.
“XDSpy’s focus is also demonstrated by its customized evasion capabilities, as their malware was reported as the first malware attempting to evade detection from PT Security’s Sandbox solution, a Russian cybersecurity company providing service to public and financial organizations in the Russian Federation.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Leave feedback about this