XDigo Hits Government Targets

XDigo Hits Government Targets in Region

XDigo, a sneaky Go-based malware, targets Eastern European governments since March 2025. Attackers use it to steal sensitive data from agencies. For example, it exploits Windows LNK flaws. This threat jeopardizes regional cybersecurity.

How the Attack Unfolds

The malware spreads via crafted LNK files in ZIP archives. It triggers a multi-stage infection process. Additionally, it sideloads rogue DLLs with decoy PDFs. Consequently, it deploys malware unnoticed.

Exploiting LNK Vulnerabilities

XDigo uses a flaw in Windows LNK parsing (ZDI-CAN-25373). Attackers hide commands with excessive characters. For instance, it bypasses UI checks and third-party tools. As a result, it executes code stealthily.

Evolution and Targeting

The malware links to XDSpy, active since 2011. It targets Russia, Moldova, and Belarus. A report notes it evolved from UsrRunVGA.exe in 2023. Therefore, its tactics grow more refined over time.

Impact on Victims

XDigo steals files, screenshots, and clipboard data. It hits retail, finance, and postal services. Moreover, it exfiltrates data via HTTP requests. This exposes sensitive government and business info.

Broader Cyber Threats

Similar campaigns target Eastern Europe with UTask and DSDown. They evade detection with custom tricks. For example, XDSpy avoids Russian sandboxes. As a result, regional defenses face rising challenges.

Challenges for Detection

The LNK flaw confuses parsers due to spec deviations. Hidden commands evade standard checks. Additionally, decoy files mask the attack. This demands advanced analysis to spot threats.

Preventing XDigo Attacks

To stop XDigo, avoid opening unknown ZIP files. For example, scan archives with updated antivirus. Disable LNK auto-execution and patch Windows regularly. Additionally, train staff on phishing risks. These steps help protect systems from malware.

Sleep well, we got you covered.