ESET researchers uncovered a new APT group that has been stealing sensitive documents from several governments in Eastern Europe and the Balkans since 2011. Named XDSpy by ESET, the APT group has gone largely undetected for nine years, which is rare. The espionage group has compromised many government agencies and private companies. The findings were presented today at the VB2020 localhost conference.

“The group has attracted very little public attention so far, with the exception of an advisory from the Belarusian CERT in February 2020,” says Mathieu Faou, ESET researcher who analyzed the malware.

XDSpy operators use spear phishing emails in order to compromise their targets. The emails display a slight variance, as some contain an attachment, while others contain a link to a malicious file. The first layer of the malicious file or attachment is generally a ZIP or RAR archive. At the end of June 2020, the operators stepped up their game by using a vulnerability in Internet Explorer, CVE-2020-0968, which had been patched in April 2020. “The group jumped on the COVID-19 bandwagon at least twice in 2020, including an instance only a month ago, in their ongoing spear phishing campaigns,” adds Faou. 

“Since we did not find any code similarities with other malware families, and we did not observe any overlap in the network infrastructure, we conclude that XDSpy is a previously undocumented group,” concludes Faou.

Targets of the XDSpy group are located in Eastern Europe and the Balkans; they are primarily government entities, including militaries, Ministries of Foreign Affairs and private companies. 

For more technical details about this spyware, read the white paper, “XDSpy: stealing government secrets since 2011” on WeLiveSecurity.