ESET researchers discover XDSpy, an APT group stealing government secrets in Europe since 2011

Next story

The previously undocumented group leverages COVID-19-themed spear phishing

BRATISLAVA, MONTREAL – ESET researchers uncovered a new APT group that has been stealing sensitive documents from several governments in Eastern Europe and the Balkans since 2011. Named XDSpy by ESET, the APT group has gone largely undetected for nine years, which is rare. The espionage group has compromised many government agencies and private companies. The findings were presented today at the VB2020 localhost conference.

“The group has attracted very little public attention so far, with the exception of an advisory from the Belarusian CERT in February 2020,” says Mathieu Faou, ESET researcher who analyzed the malware.

XDSpy operators use spear phishing emails in order to compromise their targets. The emails display a slight variance, as some contain an attachment, while others contain a link to a malicious file. The first layer of the malicious file or attachment is generally a ZIP or RAR archive. At the end of June 2020, the operators stepped up their game by using a vulnerability in Internet Explorer, CVE-2020-0968, which had been patched in April 2020. “The group jumped on the COVID-19 bandwagon at least twice in 2020, including an instance only a month ago, in their ongoing spear phishing campaigns,” adds Faou.

“Since we did not find any code similarities with other malware families, and we did not observe any overlap in the network infrastructure, we conclude that XDSpy is a previously undocumented group,” concludes Faou.

Targets of the XDSpy group are located in Eastern Europe and the Balkans; they are primarily government entities, including militaries, Ministries of Foreign Affairs and private companies.

Location of known XDSpy group victims according to ESET telemetry


For more technical details about this spyware, read the blog post, “XDSpy: stealing government secrets since 2011” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About ESET 
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on  LinkedIn, Facebook , and Twitter.