XDSpy Cyberspy Group Launches Phishing Campaign Targeting Russian Organizations

This week, FACCT specialists discovered a phishing campaign conducted by the XDSpy cyberspy group. The attack targeted Russian organizations, including one of the well-known research institutes. The text of the letter, signed by the Ministry of Emergency Situations, asked recipients to look at a list of company employees who “may sympathize with groups that destabilize the internal situation in Russia.”
The senders of the letter threatened that in the absence of a response, legal action would be taken against the employees.
Under the guise of a bait file Spisok_rabotnikov.pdf, the Spisok_rabotnikov.zip malware was loaded, which collected data and documents from the victim’s computer. A more detailed technical analysis can be found in the FACCT blog on Habré.

Previous Attacks by XDSpy

XDSpy has used similar techniques before: in mid-March, hackers attacked the structures of the Russian Foreign Ministry, and in October 2022, Russian organizations with fake subpoenas on behalf of the Ministry of Defense.

Who is XDSpy?

FACCT experts write that XDSpy is one of the most mysterious and little-studied cyber-espionage groups. It was first discovered by the Belarusian CERT in 2020, although it is believed that the group itself has been active since at least 2011.
The majority of XDSpy’s targets are located in Russia – they are government, military, financial institutions, as well as energy, research and mining companies. Although XDSpy comes to the attention of international experts with enviable regularity, it is not yet clear in the interests of which country this hack group is working.
XDSpy’s latest phishing campaign is yet another reminder of the importance of cybersecurity for organizations of all sizes. It is essential to stay vigilant and ensure that all security measures are in place to protect against any malicious activity.