ESET researchers discover XDSpy, an APT group stealing government secrets in Europe since 2011

Next story

The previously undocumented group leverages COVID-19-themed spear phishing


BRATISLAVA, MONTREAL – October 2, 2020 – ESET researchers uncovered a new APT group that has been stealing sensitive documents from several governments in Eastern Europe and the Balkans since 2011. Named XDSpy by ESET, the APT group has gone largely undetected for nine years, which is rare. The espionage group has compromised many government agencies and private companies. The findings were presented today at the VB2020 localhost conference.

“The group has attracted very little public attention so far, with the exception of an advisory from the Belarusian CERT in February 2020,” says Mathieu Faou, ESET researcher who analyzed the malware.

XDSpy operators use spear phishing emails in order to compromise their targets. The emails display a slight variance, as some contain an attachment, while others contain a link to a malicious file. The first layer of the malicious file or attachment is generally a ZIP or RAR archive. At the end of June 2020, the operators stepped up their game by using a vulnerability in Internet Explorer, CVE-2020-0968, which had been patched in April 2020. “The group jumped on the COVID-19 bandwagon at least twice in 2020, including an instance only a month ago, in their ongoing spear phishing campaigns,” adds Faou. 

“Since we did not find any code similarities with other malware families, and we did not observe any overlap in the network infrastructure, we conclude that XDSpy is a previously undocumented group,” concludes Faou.

Targets of the XDSpy group are located in Eastern Europe and the Balkans; they are primarily government entities, including militaries, Ministries of Foreign Affairs and private companies. 

Location of known XDSpy group victims according to ESET telemetry

For more technical details about this spyware, read the white paper, “XDSpy: stealing government secrets since 2011”on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About ESET
For more than 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET is the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit or follow us on LinkedInFacebook, and Twitter.