Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

XDSpy Cyber-Espionage Group Operated Discretely For Nine Years

XDSpy Cyber-Espionage Group Operated Discretely For Nine Years

Researchers at ESET today published details about a threat actor that has been operating for at least nine years, yet their activity attracted almost no public attention.

Going largely unnoticed for this long is a rare occurrence these days as malicious campaigns from long-standing adversaries overlap at one point or give sufficient clues for researchers to determine that the same actor is behind them.

At the Virus Bulletin 2020 security conference today, ESET provided details about the victims and operations of a newly discovered advanced persistent threat (APT) named XDSpy, after the main malware downloader used in attacks.

ESET malware researchers Matthieu Faou and Francis Labelle say that the group has been running cyber-espionage campaigns since at least 2011.

XDSpy’s main interest is in the Eastern Europe and Balkans regions (Belarus, Moldova, Russia, Serbia, and Ukraine), targeting primarily government agencies (military, Ministries of Foreign Affairs), although private companies are also among its victims.

Before ESET’s report, the national cybersecurity incident response center (CERT) in Belarus published in February 2020 an advisory on an XDSpy spear phishing campaign spread to more than 100 targets, among them:

  • Council of the Republic
  • Council of Ministers
  • Ministry of Economics
  • Ministry of Finance
  • Ministry of Industry
  • Ministry of Information
  • State Committee for Standardization
  • Law enforcement agencies as well as individuals and legal entities

Based on the malicious code used in attacks, network infrastructure, and victimology, ESET researchers could not confidently link XDSpy activity to a known APT group. Provided the long-term activity and other factors, behind XDSpy is likely a professional actor.

“We believe that the developers might be working in the UTC+2 or UTC+3 time zone, which is also the time zone of most of the targets. We also noticed they were only working from Monday to Friday, suggesting a professional activity” – ESET

Attack tools and tactics

Spear phishing appears to be the main attack vector of the group, with emails that either contain a malicious file or link to one (typically a ZIP or RAR archive).

The archive contains a LNK file that downloads a script that installs XDDown, the main component used by the group to establish persistence and download malicious plugins from the command and control server (hardcoded).

Also Read: How To Check Data Breach And How Can We Prevent It

ESET discovered multiple plugins used by XDSpy for reconnaissance, gathering details, and stealing files of interest based on their extension:

  • XDRecon: collects basic information about the victim machine (computer name, current username, volume serial number of the main drive)
  • XDList: takes screenshots, crawls the C: drive for interesting files (.accdb, .doc, .docm, .docx, .mdb, .xls, .xlm, .xlsx, .xlsm, .odt, .ost, .ppt, .pptm, .ppsm, .pptx, .sldm, .pst, .msg, .pdf, .eml, .wab) and exfiltrates their paths
  • XDMonitor: monitors removable drives to steal the files matching an interesting extension.
  • XDUpload: steals a hardcoded list of files from the filesystem
  • XDLoc: collects nearby SSIDs (such as Wi-Fi access points), likely for geo-location purposes
  • XDPass: steals passwords from applications such as web browsers and email programs

In more recent operations (end of June), the actor exploited a vulnerability in Internet Explorer (CVE-2020-0968 – patched in April) on which little was known at the time and no proof-of-concept exploit code existed.

“We think that XDSpy either bought this exploit from a broker or developed a 1-day exploit themselves by looking at previous exploits for inspiration” – ESET

The exploit used in that attack, though, had similarities with other exploits used by DarkHotel APT. However, ESET believes there is no connection between the two groups and the common ground may be accounted for by the use of the same exploit broker.

ESET says that until moving to exploiting the IE vulnerability, the group relied on “the same basic malware architecture.” This switch shows technical evolution and may foretell increased activity from this actor.

On its GitHub page, ESET published a comprehensive list of indicators of compromise (IoCs) that includes hashes for known XDSpy components, details about their network infrastructure, and the activity on the infected system.

Also Read: How Bank Disclosure Of Customer Information Work For Security



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us