Newly Unearthed APT Group “XDSpy” Has Been Around Since 2011

Written by Bill Toulas
Last updated September 28, 2021

ESET researchers have uncovered a previously unknown APT group that was stealing and selling highly sensitive data from Easter European governments for the past decade. Named “XDSpy,” this group managed to fly under the radar since 2011 and was mentioned for the first time in February 2020 in an announcement by the Belarusian National Response Center.

As ESET explains now, XDSpy wasn’t limited to spying Belarusian ministries but also several countries in the area such as Russia, Ukraine, Moldova, and Serbia.

Source: ESET

The team that analyzed the details of the activity of the XDSpy concluded that it’s a new group since there are no code similarities with other known malware families, there are no overlaps with malicious network infrastructure, and the targets are somewhat unusual.

Also, considering that XDSpy has been around for nine years now, researchers would have already discovered it if there was a link with anyone else.

Source: ESET

The hackers work Monday to Friday in time zones that match those of their targets, so there is a professional approach to their campaigns. Their ways mainly involve spearphishing emails that come with malicious ZIP and RAR attachments, so the only thing that changes is the theme and the targeted vulnerabilities. ESET confirmed exploits of CVE-2020-0968 being distributed from June 2020 and onwards, targeting systems with specially crafted HTML files.

Source: ESET

Notably, this vulnerability was patched by Microsoft in April 2020, so the exploit's development came in a very short period. This indicates that XDSpy is a group of very capable hackers, or that they bought the exploit from a broker. In fact, ESET mentions that XDSpy could be using the same broker as DarkHotel, as some signs are pointing to this assumption.

As for what the malware can do once it's dropped on the target system, that would depend on what plugins are fetched and loaded. The researchers have recorded six individual plugins which can do the following:

The activity of XDSpy has reached new levels during the past few months, and maybe this is what blew their cover after all these years. Now that the compromise indicators are known and publicly available, the APT group will have to prove how flexible and capable they are, as they have sent mixed messages on that part.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: