XDigo Hits Government Targets in Region
XDigo, a sneaky Go-based malware, targets Eastern European governments since March 2025. Attackers use it to steal sensitive data from agencies. For example, it exploits Windows LNK flaws. This threat jeopardizes regional cybersecurity.
How the Attack Unfolds
The malware spreads via crafted LNK files in ZIP archives. It triggers a multi-stage infection process. Additionally, it sideloads rogue DLLs with decoy PDFs. Consequently, it deploys malware unnoticed.
Exploiting LNK Vulnerabilities
XDigo uses a flaw in Windows LNK parsing (ZDI-CAN-25373). Attackers hide commands with excessive characters. For instance, it bypasses UI checks and third-party tools. As a result, it executes code stealthily.
Evolution and Targeting
The malware links to XDSpy, active since 2011. It targets Russia, Moldova, and Belarus. A report notes it evolved from UsrRunVGA.exe in 2023. Therefore, its tactics grow more refined over time.
Impact on Victims
XDigo steals files, screenshots, and clipboard data. It hits retail, finance, and postal services. Moreover, it exfiltrates data via HTTP requests. This exposes sensitive government and business info.
Broader Cyber Threats
Similar campaigns target Eastern Europe with UTask and DSDown. They evade detection with custom tricks. For example, XDSpy avoids Russian sandboxes. As a result, regional defenses face rising challenges.
Challenges for Detection
The LNK flaw confuses parsers due to spec deviations. Hidden commands evade standard checks. Additionally, decoy files mask the attack. This demands advanced analysis to spot threats.
Preventing XDigo Attacks
To stop XDigo, avoid opening unknown ZIP files. For example, scan archives with updated antivirus. Disable LNK auto-execution and patch Windows regularly. Additionally, train staff on phishing risks. These steps help protect systems from malware.
Sleep well, we got you covered.