XDSpy

Description

(ESET) Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group compromised many government agencies and private companies in Eastern Europe and the Balkans.

In this paper, we present our analysis of this nine-year-long espionage campaign, active since 2011, but which apparently went dark in February 2020.

With its primary purpose seemingly being cyber espionage, this group stole documents and other sensitive files, such as victims’ mailboxes. These outcomes were achieved through the use of the XDSpy malware ecosystem, composed of at least seven components: XDDown, XDRecon, XDList, XDMonitor, XDUpload, XDLoc and XDPass. As our research has not uncovered links with any previously known APT groups, we have attributed this malware toolset to a previously unknown group.

Names

Name	Name-Giver
XDSpy	ESET

Country

• Unknown

Motivation

• Information theft and espionage

First Seen

2011

Observed Sectors

• Government

Observed Countries

• Belarus
• Moldova
• Russia
• Serbia
• Ukraine

Tools

• ChromePass
• IE PassView
• MailPassView
• Network Password Recovery
• OperaPassView
• PasswordFox
• Protected Storage PassView
• XDDown
• XDList
• XDLoc
• XDMonitor
• XDPass
• XDRecon
• XDUpload

Operations

• 2024-07: Russia, Moldova targeted by obscure hacking group in new cyberespionage campaign https://therecord.media/russia-moldova-cyberespionage-campaign

Information

• https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf
• https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/
• https://therecord.media/xdspy-hackers-target-russian-military-industrial-companies

Other Information

Uuid

647ee86f-5474-437c-b2e3-825424b0fd1c

Last Card Change

2024-08-27