XDSpy Hackers Exploit Windows LNK Zero-Day Flaw to Target Users

Security researchers have uncovered a sophisticated cyber-espionage campaign attributed to the elusive XDSpy threat actor, exploiting a previously unreported zero-day vulnerability in Microsoft Windows LNK file parsing to compromise government entities in Eastern Europe and Russia.

Windows LNK Flaw Facilitates Multi-Stage Attack

The attack hinges on a subtle but powerful flaw within Windows shortcut (LNK) file parsing, referenced as ZDI-CAN-25373.

This vulnerability enables attackers to craft malicious LNK files that conceal executed commands, specifically the command-line arguments, from the Windows Explorer UI, thereby deceiving users and security scanners alike.

Specifically, by padding command-line arguments with an abundance of whitespace characters (which includes STX, TAB, SPACE, and even invisible characters such as LF, CR, or FS/GS/RS/US), attackers can obscure commands when the LNK file’s properties are examined, as the UI fails to display the full command or shows only whitespace.

Further complicating detection, Microsoft’s LNK parsing implementation deviates from its own MS-SHLLINK specification.

While the official documentation permits string fields up to 65,535 characters, Windows itself arbitrarily limits most LNK string data to 259 characters.

This discrepancy enables specially crafted LNK files to confuse third-party parsers and execute malicious commands that are not visible in either the Windows UI or to some external analysis tools.

Infection Chain and Malware Payloads

The campaign begins with spear-phishing emails delivering ZIP archives named “dokazatelstva.zip” or “proyekt.zip.”

When extracted and opened, these archives contain malicious LNK files alongside legitimate, signed Microsoft executables and malicious DLLs, leveraging DLL sideloading to bypass security controls.

The LNK file executes a complex one-liner shell command that:

ETDownloader establishes persistence and attempts to download and decrypt the second-stage payload a Go-based implant known as “XDigo,” which is associated with data exfiltration and command execution.

XDigo scans user home directories for specific file types, captures screenshots and clipboard data, and exfiltrates encrypted ZIP archives to attacker-controlled infrastructure using AES-256-GCM for file encryption before transmission.

Infrastructure and Attribution

XDSpy’s infrastructure is diverse, with a clear separation between initial distribution servers and command-and-control (C2) domains.

The distribution servers, such as PDF Bazaar [.]com, file-bazar[.]com, and vashazagruzka365[.]com, are disguised as legitimate file-sharing sites, while C2 domains employ random or thematic English words.

Recent activity includes redirection to large binary model files on platforms like HuggingFace, further obfuscating the operation.

Researchers attribute the campaign to XDSpy with high confidence, based on consistent tactics, infrastructure overlaps, and unique targeting of government and financial entities in Eastern Europe and Belarus.

This approach mirrors previous campaigns, in which XDSpy abused Windows utilities, such as forfiles.exe, and deployed obfuscated .NET payloads.

The exploitation of the LNK parsing zero-day demonstrates both the technical sophistication and operational security of XDSpy, enabling them to remain undetected for over a decade.

This campaign highlights the ongoing risk posed by such persistent threat actors. It underscores the need for vigilance and proactive defense mechanisms, particularly when handling email attachments and unfamiliar LNK files.

Security teams are urged to deploy YARA rules and monitor for suspicious activity related to the listed IOCs and infrastructure.

Indicators of compromise (IOCs)

Hashes (SHA-256)

a28ee84bfbad9107ad39802e25c24ae0eaa00a870eca09039076a0360dcbd869|XDSpy ZIP archive, dokazatelstva.zip
4f1d5081adf8ceed3c3daaaa3804e5a4ac2e964ec90590e716bc8b34953083e8|XDSpy ZIP archive, dokazatelstva.zip
59b907430dde62fc7a0d1c33c38081b7dcf43777815d1abcf07e0c77f76f5894|XDSpy ZIP archive, proyekt.zip
ccf56b6b727da47c89f7a1a47cc04ab3a41d225c1298a74f16c939a5622b03f2|XDSpy ZIP archive, dokazatelstva.zip
b03d9dd170cd82890ee1a5503529b81ce8064893e31a88b87081a8c72610d810|XDSpy ZIP archive, dokazatelstva.zip
e14fdb6c0b5b64e1ca318b7ad3ac9a4fd6dec60ef03089b87199306eba6e0ca6|XDSpy ZIP archive, do