Russia, Moldova targeted by obscure hacking group in new cyberespionage campaign

Avatar

A cyberespionage group known as XDSpy recently targeted victims in Russia and Moldova with a new malware variant, researchers have found.

In a campaign earlier this month, the suspected nation state-linked group sent phishing emails to targets in Russia, including a tech company that develops software for cash registers, as well as to an unidentified organization in Transnistria, the Russian-controlled breakaway region in Moldova.

The malicious emails, discovered by Russian cybersecurity firm F.A.C.C.T., contained a link to an archive with a legitimate executable file, which allowed attackers to run malicious code without raising suspicion.

During these attacks, the hackers used a previously unknown tool, which the researchers called XDSpy.DSDownloader. F.A.C.C.T. didn’t disclose whether the hackers managed to penetrate the victims’ systems and steal data.

XDSpy is believed to be a state-controlled threat actor, active since 2011, that primarily attacks countries in Eastern Europe and the Balkans. Despite the group’s long history, researchers have been unable to identify the country backing it.

Most of XDSpy’s targets are related to the military, finance, energy, research and mining industries in Russia, according to F.A.C.C.T.

Earlier in December, the group targeted a Russian metallurgical enterprise and a research institute involved in the development and production of guided missile weapons. In an attack last July, the hackers sent phishing letters with malicious PDF attachments to an unnamed but “well-known” research institute.

XDSpy doesn’t operate a particularly sophisticated toolkit, but “they have very decent operational security,” researchers at cybersecurity firm ESET told Recorded Future News in a previous interview.

“They are putting quite a lot of effort into the obfuscation of their implants in order to try to evade security solutions. As such, it is likely they have a decent percentage of success, even if we have been able to track their operations in the long run,” ESET said.

CybercrimeNation-stateNewsNews Briefs
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Influence actors expected to adjust tactics amid chaotic election cycle, intel official says

Next Post

IBM: Cost of a breach reaches nearly $5 million, with healthcare being hit the hardest

Related Posts

North Korean Hackers Target Cryptocurrency Users on LinkedIn with RustDoor Malware

Cybersecurity researchers are continuing to warn about North Korean threat actors' attempts to target prospective victims on LinkedIn to deliver malware called RustDoor. The latest advisory comes from Jamf Threat Labs, which said it spotted an attack attempt in which a user was contacted on the professional social network by claiming to be a recruiter for a legitimate decentralized
Siva Ramakrishnan
Read More

Progress Software Releases Patches for 6 Flaws in WhatsUp Gold – Patch Now

Progress Software has released another round of updates to address six security flaws in WhatsUp Gold, including two critical vulnerabilities. The issues, the company said, have been resolved in version 24.0.1 released on September 20, 2024. The company has yet to release any details about what the flaws are other than listing their CVE identifiers - CVE-2024-46905 (CVSS score: 8.8) 
Avatar
Read More