Cybersecurity researchers at French firm HarfangLab have uncovered a sophisticated malware strain, dubbed 'XDigo', developed in the Go programming language. The malware was deployed in targeted attacks against government entities in Eastern Europe during March 2025.
The attack leveraged Windows shortcut (LNK) files in a multi-stage infection chain to deliver the XDigo payload. The LNK files exploited a vulnerability in Microsoft Windows (ZDI-CAN-25373), which was disclosed by Trend Micro earlier this year. The flaw allows crafted LNK files to execute code without the user's knowledge, by hiding malicious commands from both the Windows interface and third-party parsers.
The threat actor behind XDigo is believed to be associated with the long-running XDSpy espionage group, known for targeting governments across Eastern Europe and the Balkans since 2011. XDSpy’s tactics have evolved over the years, with recent campaigns observed in Russia and Moldova using similar downloader tools like UTask and XDDown.
HarfangLab’s analysis revealed nine unique LNK file samples exploiting the parsing confusion flaw caused by Microsoft's incomplete adherence to its own LNK file specification (MS-SHLLINK v8.0). The vulnerability allows attackers to disguise malicious commands, even in LNK files that should appear invalid under the formal specification.
Each malicious ZIP archive analyzed by HarfangLab contained a secondary ZIP file, which included a decoy PDF, a renamed legitimate executable, and a rogue DLL. The DLL, named ‘ETDownloader’, serves as the first-stage downloader for XDigo. XDigo itself functions as a stealer capable of extracting files, clipboard contents, and screenshots, and executing remote commands via HTTP requests.
The malware exfiltrates data using HTTP POST requests, likely to evade detection by traditional security tools. Infrastructure and targeting patterns suggest XDigo is an evolution of previously identified malware known as UsrRunVGA.exe.
At least one confirmed victim has been identified in the Minsk region, with additional evidence pointing to attacks on Russian retail companies, financial firms, insurance providers, and government-run postal services.