The cyber espionage group XDSpy has been exploiting a zero-day vulnerability in Windows LNK files, known as ZDI-CAN-25373, to target government entities in Eastern Europe and Russia. Active since March 2025, this sophisticated campaign uses a complex multi-stage infection process to deploy the XDigo implant, crafted in Go. The attackers exploit a discrepancy in Microsoft’s implementation of LNK files to execute hidden commands that evade detection. The attack begins with spearphishing emails containing ZIP archives with specially crafted LNK files. Once executed, these files trigger a Microsoft executable to sideload a malicious DLL, establishing persistence and fetching additional payloads from domains like vashazagruzka365[.]com. XDigo is capable of data collection, including file scanning and screenshot acquisition, communicating with command-and-control servers. The campaign has primarily targeted Belarusian government entities, reflecting XDSpy’s historical focus on Eastern European institutions. This operation’s technical sophistication includes anti-analysis measures and encrypted data exfiltration, highlighting the need for robust cybersecurity defenses.
Are XDSpy Hackers Exploiting a New Windows Vulnerability?
