REF URL: https://otx.alienvault.com/pulse/5f7b6dec91a6842be8aa386c
Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group compromised many government agencies and private companies in Eastern Europe and the Balkans.
References: https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/ https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf https://github.com/eset/malware-ioc/tree/master/xdspy/
Adversary: XDSpy Group
Malware Families: XDDown , XDRecon , XDList , XDMonitor , XDUpload , XDLoc , XDPass , XDSpy , Win64/Spy.Agent
Att&ck IDs: T1005 – Data from Local System , T1020 – Automated Exfiltration , T1025 – Data from Removable Media , T1033 – System Owner/User Discovery , T1041 – Exfiltration Over C2 Channel , T1071 – Application Layer Protocol , T1082 – System Information Discovery , T1083 – File and Directory Discovery , T1113 – Screen Capture , T1119 – Automated Collection , T1203 – Exploitation for Client Execution , T1204 – User Execution , T1547 – Boot or Logon Autostart Execution , T1566 – Phishing , T1573 – Encrypted Channel
Be kind, be safe and have an outstanding day!