Cyber ​​spies XDSpy attack Russian organizations under the guise of fighting the “fifth column”

Experts from the FACCT cybersecurity center have identified a new campaign by the XDSpy cyber-espionage group, which is aimed at Russian organizations in various industries, including one of the leading research institutes. In phishing emails, recipients are asked to look at a list of company employees who “may sympathize with groups that destabilize the internal situation in Russia.” The senders of the letter threaten to take legal action against the employees if there is no response.

When opening the Spisok_rabotnikov.pdf file, which allegedly contained a list of suspicious employees, malware was installed on the victim’s computer, which steals and sends confidential data and documents to the cybercriminals’ servers. XDSpy has used similar methods before: in mid-March, they attacked the structures of the Russian Ministry of Foreign Affairs, and in October 2022 they attacked Russian organizations, sending fake subpoenas on behalf of the Ministry of Defense.

For the first time, the XDSpy group attacking organizations in Russia and Belarus was discovered by the Belarusian CERT in February 2020. However, experts believe that this group has been active since at least 2011. Despite the long history of XDSpy, international experts have not been able to unequivocally determine in the interests of which country it works. The majority of the group’s targets are located in Russia and include government, military, financial, energy, research and mining institutions and companies.