SadFuture: Mapping XDSpy latest evolution

June 27, 2025, 8:52 a.m.

Description

This report examines recent activities attributed to the XDSpy threat actor, focusing on an ongoing campaign targeting Eastern European and Russian governmental entities using the XDigo malware since March 2025. The investigation stemmed from analyzing a vulnerability in LNK files, leading to the discovery of a multi-stage infection chain. The report provides analysis of the XDigo implant and its connections to previous XDSpy activities. It also details the exploitation of LNK parsing issues and infrastructure used across different campaigns. The research uncovered additional, more recent XDSpy activity employing an alternative infection chain. Targets include government entities in Eastern Europe, with a confirmed victim in Belarus.

External References

https://harfanglab.io/insidethelab/sadfuture-xdspy-latest-evolution/
https://otx.alienvault.com/pulse/685dbaf793f1bd2d7f80f7f8
Tags
government
infrastructure analysis
eastern europe
xdigo
2025-06-26
etdownloader
lnk exploitation

Date

  • Created: June 26, 2025, 9:26 p.m.
  • Published: June 26, 2025, 9:26 p.m.
  • Modified: June 27, 2025, 8:52 a.m.

Indicators

  • ffc538f2c6e91f07be067311ed143d28c5437a8af69974f751c043e2944d60b2
  • fb1df37336d79861b13d5f4ba875393c7e91b12cd73302cb414c1d084104a6a8
  • f7be89ae645831d519b7c781d69cf8e88e5762b824c9a6753eb16b25c4abef76
  • efd44bc4e0efcab72106ea065c8a89d51d499202732319b21324487e8d00eccf
  • ef34c433c818774b466ba4e6f677b1c6cf51bb9213a60fd779fd7df39011e97b
  • ef8fdec66751b6a17da45dd4d9c22cef8d3c78604e7a8bc6fc8e2b30342ff408
  • e32f04362ec4db90e024bfb57adf6e5c02f1061cd17dbf81a5bbc0b588119b25
  • e95f2982195399b5f9e453be6db02a346bb516320659a3ade2c385bcb7fc27da
  • e0ffc3442215b888c55d8dfd9d33c5cfff315a59089aeb42da4cf6869eed8f5d
  • dd279ea6c2a660ff7e70788af4a6c98524836c1b63beed756a77942c83de06fa
  • ccf56b6b727da47c89f7a1a47cc04ab3a41d225c1298a74f16c939a5622b03f2
  • c8899a6e8d3dd11c75217253f8dd78f5029c01e886880cafce0388d5fd6aa54b
  • be6a545180300554eea2ee6ece9f835a12996059d726df810fe13ba0044033cd
  • bcb5df098a79e3bc1d8bcb3b1a354b6643afdb4ca40333e0548e5ed1a9470cac
  • bbc5e80d3f068d8eff0cfa745ecba97903a83dfd9fe6f43cf05e803bbe9ce8b9
  • bc0b9075e3b8504c4e0c7097c6be8aa05f96032053ec43e502d297136aaf375e
  • b03d9dd170cd82890ee1a5503529b81ce8064893e31a88b87081a8c72610d810
  • a9b9022aedd1b9afbd7ab1f11f60f236102e1f70b340658da8cb39c072a9af61
  • a8d578d4b50ac4029db22b76563e927ab691075aacc87621795b16b388b7d48c
  • a28ee84bfbad9107ad39802e25c24ae0eaa00a870eca09039076a0360dcbd869
  • 9f17ff59172a802bc6ce8490c1ea379a5bf75af839f8b59373fba8c51e878af0
  • 83341b08425a1a247becd79e829064ddbd309636d7d62a369338ffd47af6e955
  • 7d6eb47ff307bebf87022575edd19181ad34ee5a5db1f408a25d16cd27d8aa2f
  • 7e04c69685d8612f7fc3512ad9ad1802a28428f75874b8717c0f04e939a3324d
  • 81bb1cf3a805c1375bb3251eea9f1ad132ab1266295a75cda9ffe9278588ac7f
  • 7c0597aa77031a100db0941921b60f08079bec7f710b6e736a15012db6465c39
  • 7a2af22372a4fd3ba89d36fdee38967cb77f43e14255d0b5ad80da863b146625
  • 792c5a2628ec1be86e38b0a73a44c1a9247572453555e7996bb9d0a58e37b62b
  • 77b2f2ef5bc3b7bb2d1b85491ece85b56da37685652526c6fa6e3562cd12e3b6
  • 68347b0c6494a56dd0f6492c6c56158b46bcaf44878a8741f6e63ff2946cf30f
  • 747dfd7f0ca893034136fd286c737b55edc9276b5794a02c6dd3771da0342729
  • 678f79e78847a1274238740bb8cada62f9c41cab96df8537d87d38850502d0a2
  • 666f4977abf17db6da2d05b385c5cf53f6500517226a3ac5bd0360eda9193d08
  • 564b2184a7f53d5f1680673ced354f5e956d897b7e1ea7d3f992cc38be6a9b20
  • 52a98f2b2de46bc0835a11d2ba22b874a09788596507c13ac22b9b8877a8f3c6
  • 5409eb70942a6b875d8343437bb04e368f56de1854953fa87890fc8ee8a8bc37
  • 5248b0e4af1914762cc1c436a898d12d5f74980b816155f4191dc9692402668f
  • 4f1d5081adf8ceed3c3daaaa3804e5a4ac2e964ec90590e716bc8b34953083e8
  • 49714e2a0eb4d16882654fd60304e6fa8bfcf9dbd9cd272df4e003f68c865341
  • 40e3fcfcc09fd84b2745b75e0e5e7beae866f4300ec8f36e2e9ab3197f198dcd
  • 40bc204062a1f936c246fbffbed1a6bb41107ad9e5ad25df8970e4090258e145
  • 3adeda2a154dcf017ffed634fba593f80df496eb2be4bee0940767c8631be7c1
  • 38489af1360af2cb7ba70f61e4c562fa63ce58e59576ba452db560f75ed1680a
  • 2dde92fc0936cb275be79d5864c98772d1270e4a54c01e61ebc4b856b5e048d5
  • 2414dd462e3ca05ecd37aa56dc8841f5ef9588663572e7bc36d07520af7864b1
  • 1793dae4d05cc7be9575f14ae7a73ffe3b8279a811c0db40f56f0e2c1ee8dd61
  • 155b94be1c3dca48314f6f2ee0c89c09553851ecc9ceefc436e16ebb7fca5f1a
  • 15277bfc6b784c373d535fbda9396bd16c15d990943423167602fb81b26d0f07
  • 12fd8d45a181adfd6725ea9806d72ed61b3af1e31d80fa7ddd32e1932a8dfd75
  • 0d983f5fb403b500ec48f13a951548d5a10572fde207cf3f976b9daefb660f7e
  • 0a626f1837da9043e65ccf9e23192aef36d58402a1fd56577952c7bb426f2ec5
  • 0993b0bb897402954eb9057bc84ea98e2c12ff1185a87ac3c3a15a241560bb1a
  • 07e2376d2c4318b0f9c472d01342d67e23a2e8edc182533a291336dfeaff4e60
  • 031e05d15afabef6010179d2acd09925395167fd442b64b6aa8ffd81bd5e268e
  • 056cd36bf4bc6efc119a64f2ffedd76f3dcb75daa95c22c59d91664dfcaa6fd5
  • 021d13de99e996fbf03e57b78ce67630c19d33242eee8480383d7b065edebb51
  • f3f2c3c5836ce6e3cb92aa6dfc0f133e15a7fd169a3d1049b7d82e49d1577273
  • e14fdb6c0b5b64e1ca318b7ad3ac9a4fd6dec60ef03089b87199306eba6e0ca6
  • 95060ba948948eea9bfc801731960b97d3efceb300622630afcbccfe12c21ccd
  • 5e34d754b0a938de7e512614f8fc6d7cd6c704f76b05044e07c97bd44bd5d591
  • 59b907430dde62fc7a0d1c33c38081b7dcf43777815d1abcf07e0c77f76f5894
  • 448245612a5388074e32251a0b44769170c586cc4c2ae06cd953c7a461ce34a6
  • e62c3135fd708ee420cf767fa1654d8d66ff01f5160ddadf633e3cc5eaeaa926
  • d5c0fd26ba1504bde3222202f7a257efa9cdbc6949718495a7c33cd6510fce2a
  • cfd0d56ca3d6c9ca232252570522c4b904be2807c461276979b1f8c551ccd4aa
  • 9c1acde0627da8b518b0522d6fed15cecf35b20ed8920628e9f580cfc3f450ed
  • 904db68a915b4bbd0b4b2d665bb1e2c51fa1b71b9c44ce45ccd4b4664f2bfd8e
  • 65209053f042e428b64f79ea8f570528beaa537038aa3aa50a0db6846ba8d2ec
  • 5be9aba659baa089bcd253905deaf3f084f2b8f03701e90f2a46b36781165925
  • 536cd589cd685806b4348b9efa06843a90decae9f4135d1b11d8e74c7911f37d
  • 0b705938e0063e73e03645e0c7a00f7c8d8533f1912eab5bf9ad7bc44d2cf9c3
  • protej.org.nniir.com
  • zimniyeravlecheniya.com
  • zhestovyyliker.com
  • zetta-strakhovaniye.com
  • zelenyysalat.com
  • zagruzka-pdf.com
  • zagruzkafayla.com
  • zagruzkadannykh.com
  • vash-disk.com
  • utrenneyesolntse.com
  • tvoy-disk.com
  • tvoi-fayly.com
  • temnayamashina.com
  • tantsuyushchiykarlik.com
  • slomannyymonitor.com
  • sogrevayushchiynapitok.com
  • svobodnoepredlozheniye.com
  • skachivanie-failov24.com
  • skachivanie-failov.com
  • seychaspozzhe.com
  • ru-sistema.com
  • serayagrust.com
  • ru-pochta365.com
  • reyestr-faylov.com
  • quan-miami.com
  • promenimath.com
  • portfolio-elena.com
  • pechalnoyebudushcheye.com
  • pdfsklad.com
  • pdfmagazin.com
  • pdf-sklad.com
  • pdfdepozit.com
  • pdf-reyestr.com
  • otpravkafaylov.com
  • obmen-faylami.com
  • nniir.com
  • nevynosimayapchela.com
  • moy-fayl.com
  • moy-pdf.com
  • melodicprogress.com
  • lunnayareka.com
  • magnitgroup.com
  • laultrachunk.com
  • kletchatayarubashka.com
  • krasnayastena.com
  • khoroshayamych.com
  • khitrayalisitsa.com
  • full-downloader.com
  • file-magazin.com
  • faylsklad.com
  • faylbox365.com
  • enjoyever.com
  • dwd765m.com
  • easy-download24.com
  • dversteklo.com
  • doverennyye-fayly.com
  • downloading24.com
  • coolpelear.com
  • chistyyvozdukh.com
  • cellporyad.com
  • bystryvelosiped.com
  • aoc-upravleniye.com
  • bukhgalter-x5group.com
Download all indicators here!

Attack Patterns

  • ETDownloader
  • XDigo
  • XDSpy

Additional Informations

  • Government
  • Belarus
  • Kazakhstan
  • Russian Federation