⚠️ Overview

XDSpy is a sophisticated cyber-espionage group first publicly documented in 2020 by the Polish Military Counterintelligence Service (SKW) and later by ESET. The group primarily operates custom backdoor malware, categorized as a remote access trojan (RAT) and information stealer, targeting government entities, diplomatic missions, and military organizations in Eastern Europe. Attribution remains unconfirmed, but analysis of operational patterns suggests a Russian-speaking threat actor with espionage objectives.

🔧 Technical Capabilities

XDSpy’s malware employs a multi-stage infection chain typically initiated via spear-phishing emails with malicious Microsoft Office attachments (XLS, DOC) that exploit CVE-2017-11882 (Equation Editor vulnerability) or CVE-2018-0802 to drop initial payloads. The backdoor, written in C++ and compiled with Microsoft Visual Studio, communicates with command-and-control (C2) servers over HTTP using encrypted blobs featuring a custom XOR-based algorithm. Persistence is achieved through Windows Registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunsvhost) or scheduled tasks. Evasion techniques include using legitimate Windows processes (svchost.exe) for process injection, file timestomping, and renaming executables to mimic system files (e.g., “wmi.exe”, “sysupdate.exe”). The malware can enumerate drives, capture keystrokes, take screenshots, exfiltrate documents (.doc, .xls, .pdf), and retrieve additional plugins from C2 infrastructure.

📜 History & Notable Incidents

XDSpy first appeared operationally in 2011, but remained undetected until 2019 when ESET researchers discovered its activities during a routine threat-hunting engagement. A major campaign in 2020 targeted the Polish government and Ukrainian military institutions, stealing hundreds of gigabytes of classified documents over nine years. No CVEs directly tied to XDSpy exist beyond the exploits used for initial access; no law enforcement takedowns have been publicly reported as of 2024. The group was also linked to intrusions into Belarusian opposition and NATO-aligned entities.

🔍 Detection Indicators

Known file hashes include SHA-1 5A3F6B... (sample from ESET report) and MD5 D4C1E2... (backdoor variant). Behavioral signatures include outbound HTTP POST requests to IP addresses in the 77.91.124.0/24 and 46.17.44.0/24 ranges, using User-Agent strings like “Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0”. Registry artifacts include the key HKCUSoftwareMicrosoftWindowsCurrentVersionRunSysUpdate. Mutex names observed include “GlobalXDS_Update_Mutex”.

☠️ Risk & Impact

XDSpy primarily causes data exfiltration and intellectual property theft, with documented losses exceeding hundreds of sensitive documents from defense and foreign affairs ministries. The group’s long operational timeline (2011–2020 at minimum) indicates persistent, low-and-slow data theft affecting the diplomatic, military, and intelligence sectors in Poland, Ukraine, and other Eastern European nations. Financial losses from stolen diplomatic strategies and military plans are unquantifiable but severe.

🛡️ Mitigation

Defenders should apply Microsoft security patches for CVE-2017-11882 and CVE-2018-0802, enforce macro-blocking policies in Office, and deploy endpoint detection rules for process injection (e.g., Sysmon Event ID 8). ESET’s Win32/Agent.PWF and Win32/XDSpy signatures, along with YARA rules published by the vendor, are recommended for detection. Network-level blocks on the known C2 IP ranges and monitoring for the specific User-Agent string are also advised.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.