XDigo is a recently discovered, sophisticated malware implant written in the Go programming language. It is primarily deployed by the cyber-espionage group known as XDSpy (also referred to as “Silent Werewolf”), which has a history of targeting government and critical infrastructure entities across Eastern Europe, Russia, and neighboring regions.
Infection Chain and Exploitation
XDigo is delivered through spearphishing campaigns. Victims receive ZIP archives containing malicious Windows LNK (shortcut) files that mimic official documents. The malware campaign leverages a zero-day vulnerability in Windows LNK file parsing, tracked as ZDI-CAN-25373. This flaw allows attackers to hide malicious command-line arguments in shortcut files using excessive whitespace, making them invisible in the Windows UI but still executable when the file is opened.
The LNK file triggers a PowerShell command, which unpacks a nested ZIP archive and sideloads a malicious DLL (ETDownloader) via a legitimate executable. Then ETDownloader establishes persistence and attempts to download XDigo as the second-stage payload from attacker-controlled infrastructure.
XDigo Capabilities
XDigo is a full-featured espionage tool with the following functions:
• Data Collection: Regularly scans for documents with specific file extensions, captures screenshots, and monitors clipboard content.
• Command Execution: Accepts and executes remote commands from the threat actor.
• Encryption: Exfiltrates data in encrypted ZIP files using AES-256-GCM and communicates over HTTPS. Commands from the attacker are encrypted with RSA-OAEP and authenticated with RSA-PSS signatures.
• Anti-Analysis: Employs anti-sandbox and anti-analysis checks, including redirection to large files (such as LLM binaries on HuggingFace) to hinder forensic investigations.
• Operational Security: Each sample embeds unique AES keys to compartmentalize operations and avoid cross-contamination between attacks.
Targeting and Attribution
• Primary Targets: XDigo campaigns have focused on governmental entities, particularly in Belarus, Russia, and Moldova, as well as legal and economic policy sectors.
• Attribution: Technical infrastructure, payload overlaps, and consistent tactics link XDigo directly to the XDSpy group, which has operated largely undetected since at least 2011.
Technical Indicators
• Notable File Hash: 0d983f5fb403b500ec48f13a951548d5a10572fde207cf3f976b9daefb660f7e (XDigo sample, vwjqrvdy.exe).
• Command & Control Domains: Examples include quan-miami.com and vashazagruzka365.com.
All about XDigo malware
| Feature | Details |
|---|---|
| Language | Go |
| Infection Vector | Spearphishing with ZIP and LNK files exploiting ZDI-CAN-25373 |
| Initial Loader | ETDownloader (C# .NET DLL sideloaded by legitimate executable) |
| Capabilities | File/document theft, screenshots, clipboard capture, remote command execution |
| Encryption | AES-256-GCM for data, RSA-OAEP/PSS for command/control |
| Targets | Eastern European, Russian, Moldovan government/legal/economic entities |
| Attribution | XDSpy (aka Silent Werewolf) |
| Notable Hash | 0d983f5fb403b500ec48f13a951548d5a10572fde207cf3f976b9daefb660f7e |
| C2 Domains | quan-miami[.]com, vashazagruzka365[.]com |
