VERY IMPORTANT

This report examines recent activities attributed to the XDSpy threat actor, focusing on an ongoing campaign targeting Eastern European and Russian governmental entities using the XDigo malware since March 2025. The investigation stemmed from analyzing a vulnerability in LNK files, leading to the discovery of a multi-stage infection chain. The report provides analysis of the XDigo implant and its connections to previous XDSpy activities. It also details the exploitation of LNK parsing issues and infrastructure used across different campaigns. The research uncovered additional, more recent XDSpy activity employing an alternative infection chain. Targets include government entities in Eastern Europe, with a confirmed victim in Belarus.