ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > XDSpy

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: XDSpy

NamesXDSpy (ESET)
MotivationInformation theft and espionage
First seen2011
Description(ESET) Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group compromised many government agencies and private companies in Eastern Europe and the Balkans.

In this paper, we present our analysis of this nine-year-long espionage campaign, active since 2011, but which apparently went dark in February 2020.

With its primary purpose seemingly being cyber espionage, this group stole documents and other sensitive files, such as victims’ mailboxes. These outcomes were achieved through the use of the XDSpy malware ecosystem, composed of at least seven components: XDDown, XDRecon, XDList, XDMonitor, XDUpload, XDLoc and XDPass. As our research has not uncovered links with any previously known APT groups, we have attributed this malware toolset to a previously unknown group.
ObservedSectors: Government.
Countries: Belarus, Moldova, Russia, Serbia, Ukraine.
Tools usedChromePass, IE PassView, MailPassView, Network Password Recovery, OperaPassView, PasswordFox, Protected Storage PassView, XDDown, XDList, XDLoc, XDMonitor, XDPass, XDRecon, XDUpload.

Last change to this card: 16 January 2024

Download this actor card in PDF or JSON format

Previous: Worok
Next: xHunt

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]