Cybersecurity experts have recently identified a new type of malware known as XDigo, specifically targeting government agencies in Eastern Europe. This Go-based malware was discovered to be part of sophisticated attack campaigns observed in March 2025, according to a report from French cybersecurity firm HarfangLab.
These attacks utilize a method involving Windows shortcut (LNK) files to facilitate a multi-stage malware deployment. HarfangLab detailed how XDigo is associated with the cyber espionage group XDSpy, which has a history of targeting Eastern European government entities and has been active since 2011. The group was first documented by the Belarusian CERT in early 2020 and is known for its persistent campaigns aimed at organizations in Russia and Moldova.
The exploitation of a remote code execution flaw in Microsoft Windows facilitated this attack. The vulnerability, catalogued as ZDI-CAN-25373, allows attackers to craft malicious LNK files that can execute harmful scripts without users’ knowledge, according to Trend Micro’s Zero Day Initiative. HarfangLab’s analysis indicated that this flaw stems from inconsistencies in how LNK files are processed by Microsoft Windows compared to established specifications.
Through the deceptive mechanisms of the LNK files, attackers can conceal harmful commands executed in the background, leading to significant threats to compromised hosts. The malicious files are often distributed in ZIP archives containing decoy documents and altered executables, making them particularly difficult to detect. Notably, this complex chain of attacks has also been connected to a group termed ‘Silent Werewolf’, known for targeting companies in Moldova and Russia with related malware schemes.
HarfangLab’s report further reveals XDigo as a prominent data-stealing malware capable of harvesting files, extracting clipboard content, and capturing screenshots. It can also execute commands obtained from remote servers and exfiltrate data through HTTP requests. The attack pattern aligns with historically established targets of XDSpy, suggesting a prolonged focus on governmental structures and financial groups in the region, particularly in Belarus.
As cyber threats continue to evolve, the detection and mitigation of such sophisticated attacks become paramount for the affected organizations in enhancing their cybersecurity measures.