XDigo

XDigo is a Go-based espionage malware/backdoor attributed to the XDSpy threat actor and observed in attacks from at least March 2025. Reporting links it to cyber-espionage operations targeting governmental entities in Eastern Europe and Russia, with a confirmed victim in the Minsk region of Belarus; related artifacts also suggested interest in Russian retail, financial, insurance, and governmental postal organizations. The malware is described as a 64-bit portable executable and as a newer version of malware previously described by Kaspersky as UsrRunVGA.exe.

The observed infection chain used specially crafted Windows LNK files distributed inside ZIP archives such as dokazatelstva.zip and proyekt.zip. These LNKs abused Windows shortcut parsing/UI weaknesses tracked in reporting as ZDI-CAN-25373 and related parsing inconsistencies to conceal the true command line. Execution led to a multi-stage chain involving JScript.NET compilation via jsc.exe, extraction of nested archives, launch of a legitimate signed Microsoft binary (DeviceMetadataWizard.exe), and DLL sideloading of a malicious d3d9.dll downloader dubbed ETDownloader. ETDownloader opened a decoy PDF, attempted to retrieve a stage-2 payload from hardcoded download-themed infrastructure, saved it under %AppData%\Roaming\2A5S2FQJSU9B, and established persistence by writing startapp.bat into the user Startup folder to launch the payload with a /startup argument at logon. This persistence supported deployment of the XDigo implant for ongoing data exfiltration.

XDigo performs host reconnaissance and data theft. Reported capabilities include collecting host and user information, directory listings, clipboard contents, screenshots, and files of interest, especially document/archive formats such as .doc, .pdf, .xls, .ppt, .zip, .rar, .7z, .odt, .ods, and .rtf. It can also execute commands or binaries retrieved from its command-and-control server. Collected data is staged into AES-256-GCM-encrypted ZIP archives prior to exfiltration.

For command and control, XDigo communicates over HTTPS and has been observed using URLs such as hxxps://quan-miami[.]com/wevjhnyh/, with a z query parameter derived from the hard drive serial number. Tasking is protected with RSA-OAEP-encrypted commands and RSA-PSS signatures, and samples embed RSA keys for decryption and signature verification. Multiple XDigo-related C2 domains were reported across versions and timeframes, including melodicprogress[.]com, pechalnoyebudushcheye[.]com, quan-miami[.]com, and sogrevayushchiynapitok[.]com. A reported XDigo sample was vwjqrvdy.exe (Go 1.20), SHA-256 0d983f5fb403b500ec48f13a951548d5a10572fde207cf3f976b9daefb660f7e. The associated ETDownloader sideloaded DLL d3d9.dll was reported with SHA-256 792c5a2628ec1be86e38b0a73a44c1a9247572453555e7996bb9d0a58e37b62b, and the legitimate sideloading host DeviceMetadataWizard.exe with SHA-256 1793dae4d05cc7be9575f14ae7a73ffe3b8279a811c0db40f56f0e2c1ee8dd61.