Cybersecurity analysts have identified a new strain of Go-based malware, named XDigo, actively used in targeted attacks against government organizations in Eastern Europe as of March 2025.

According to HarfangLab, a French cybersecurity firm, attackers utilized malicious Windows shortcut (LNK) files in a multi-stage campaign to deploy XDigo. These attacks follow a familiar pattern attributed to a long-standing espionage group known as XDSpy, which has been active since 2011 and is known for targeting government agencies across Eastern Europe and the Balkans.

In recent years, organizations in Russia and Moldova have been repeatedly targeted through malware campaigns deploying tools like UTask, XDDown, and DSDownloader — tools capable of downloading additional payloads and stealing sensitive data.

The attack observed in March involved the exploitation of a remote code execution vulnerability in Windows. The flaw — tracked as ZDI-CAN-25373 and disclosed by Trend Micro — can be triggered when Windows processes specially crafted LNK files.

“Crafted data in an LNK file can cause harmful content to remain invisible when inspected through the standard Windows interface,” explained Trend Micro’s Zero Day Initiative. “Attackers can exploit this to execute arbitrary code under the current user’s privileges.”

Upon analyzing the weaponized LNK files, researchers uncovered nine unique samples that take advantage of how Windows fails to fully implement its own MS-SHLLINK (v8.0) specification. While the spec allows strings up to 65,535 characters, Windows 11 restricts this to 259 characters — with exceptions for command-line arguments.

This discrepancy opens the door for LNK parsing confusion, allowing attackers to hide commands from both users and many third-party file analysis tools.

“Due to this deviation, attackers can design LNK files that appear harmless or invalid but still execute commands when opened in Windows,” HarfangLab explained.

In practice, these manipulated LNK files were delivered in ZIP archives, each containing:

• A decoy PDF,
• A renamed legitimate executable, and
• A malicious DLL, which is sideloaded by the executable.

This attack chain matches previous incidents documented by BI.ZONE, which attributed similar campaigns to a threat actor known as Silent Werewolf — responsible for targeting Russian and Moldovan companies.

The malicious DLL acts as a first-stage downloader named ETDownloader, designed to fetch and install the XDigo payload. Based on overlaps in infrastructure and attack patterns, XDigo appears to be an evolved version of a malware sample called “UsrRunVGA.exe”, originally identified by Kaspersky in October 2023.

What XDigo Can Do:

XDigo is a data-stealing malware that:

• Harvests files from infected machines
• Extracts clipboard data
• Takes screenshots
• Executes remote commands or payloads via HTTP GET
• Exfiltrates data through HTTP POST requests

One confirmed target was located in the Minsk region, while other indicators suggest broader targeting of Russian retail and financial institutions, insurance providers, and government postal agencies.

“This campaign aligns with XDSpy’s historical focus on Eastern European and Belarusian government organizations,” HarfangLab concluded.

XDSpy is also known for employing customized evasion tactics, including attempts to bypass advanced threat detection platforms like PT Security’s Sandbox, which is widely used by Russian public and financial sectors.

🔒 Takeaway for Defenders:
This incident highlights how attackers exploit legacy formats like LNK files, combine them with parsing inconsistencies, and use multi-stage payloads to bypass detection. Staying vigilant against obscure file types and implementing behavioral threat detection remain essential.

Source: https://thehackernews.com/2025/06/xdigo-malware-exploits-windows-lnk-flaw.html