Windows News
New Wave of Cyber Espionage Hits Eastern Europe with XDigo Malware and LNK Vulnerability
A sophisticated cyber espionage campaign featuring the new XDigo malware is actively targeting government agencies and high-value organizations across Eastern Europe. The attacks leverage a critical vulnerability in Windows LNK files to gain initial access, marking a significant escalation in the region's cyber threat landscape.
First observed in March 2025, the campaign has been attributed to the long-standing cyber espionage group XDSpy, also known as Silent Werewolf. This group, active since at least 2011, has a history of targeting entities in Eastern Europe and the Balkans. The recent attacks have been confirmed in Belarus, Moldova, and Russia, with targets including government agencies, financial institutions, retail companies, and postal services.
At the heart of this new wave of attacks is the XDigo malware, a Go-based stealer designed to harvest sensitive information. XDigo is capable of extracting files, capturing clipboard content and screenshots, and executing commands delivered from a remote server. The malware is considered an evolution of a previous tool known as "UsrRunVGA.exe," which was detailed by security researchers in 2023.
The primary vector for delivering XDigo is a vulnerability, identified as ZDI-CAN-25373, in how Microsoft Windows processes LNK (shortcut) files. Attackers craft malicious LNK files, often embedded within ZIP archives, that appear benign to unsuspecting users. These files exploit a flaw that allows malicious commands to be hidden from both the Windows user interface and third-party parsing tools, enabling remote code execution when the shortcut is opened.
The vulnerability stems from a discrepancy in how Windows handles the command-line arguments within a LNK file compared to its own official specification. This allows threat actors to pad the file with whitespace and other characters, effectively concealing the malicious payload. The use of this LNK vulnerability is not exclusive to the XDigo campaign; at least 11 state-sponsored advanced persistent threat (APT) groups from North Korea, Russia, China, and Iran have been observed exploiting it for espionage and data theft.
The attack chain typically involves multiple stages. A malicious ZIP archive containing a decoy document (such as a PDF), a legitimate executable, and a rogue DLL file is delivered to the target. When the LNK file is executed, it triggers a process that sideloads the malicious DLL, which in turn acts as a first-stage downloader called ETDownloader. This downloader then retrieves the final XDigo payload.
The XDSpy group has demonstrated a deep understanding of their targets' environments, with their malware reportedly being the first to attempt evading detection from a specific Russian cybersecurity company's sandbox solution. This highlights the customized and targeted nature of their operations.
To mitigate the risk of these attacks, organizations are advised to exercise caution when handling unsolicited ZIP files and to ensure their antivirus and endpoint protection solutions are up to date. Disabling the automatic execution of LNK files and providing user training on identifying phishing attempts are also crucial preventative measures. While Microsoft has been notified of the LNK vulnerability, a patch has not yet been issued, though the company has stated that opening LNK files from the internet triggers a security warning. The ongoing exploitation of this flaw by numerous state-sponsored actors underscores the significant risk it poses to governments and organizations worldwide.