XDSpy Group’s New Espionage Campaign Targets Western Europe
A renewed wave of cyberespionage activity has emerged in Western Europe, as the threat actor known as XDSpy has launched a coordinated campaign against a range of diplomatic and economic targets. The group, which is believed to be state-sponsored, has resurfaced with an enhanced version of its malware framework, known as XDigo. This latest operation has primarily focused on stealing sensitive political and commercial intelligence from entities located in Spain, France, Portugal, Italy, Belgium, and the Netherlands.
The XDSpy group has historically operated with a high level of operational security and stealth. This new campaign reaffirms the group’s commitment to long-term cyberespionage and highlights the evolving sophistication of its tactics, techniques, and procedures (TTPs). The targets of this campaign include European ministries, foreign affairs departments, embassies, economic trade commissions, and multinational corporations involved in infrastructure, energy, and cross-border finance.
Background: Who is XDSpy?
XDSpy is a lesser-known but highly effective APT group that has operated under the radar for nearly a decade. First disclosed publicly in 2020, XDSpy has been linked to a series of stealthy espionage campaigns across Eastern Europe and the Balkans. Analysts believe the group operates on behalf of a state entity, likely within Eastern Europe or Eurasia.
Key characteristics of XDSpy include:
- Highly targeted operations focused on intelligence-gathering
- Use of custom malware families and proprietary tools
- Abuse of trusted services such as cloud storage for exfiltration
- Minimal use of off-the-shelf post-exploitation frameworks
- Long dwell times and low operational noise
XDigo Malware: Evolution of a Stealthy Toolset
The central piece of the current campaign is the latest version of the XDigo malware framework. XDigo is a modular espionage toolkit capable of reconnaissance, data collection, exfiltration, and lateral movement. The newest variant features substantial upgrades in its obfuscation methods, communication channels, and evasive tactics.
Technical Enhancements in XDigo:
- Dynamic DLL injection using trusted processes like
explorer.exe - Encrypted C2 communication via custom HTTP headers and cloud-hosted infrastructure
- Fileless persistence through scheduled tasks and registry run keys
- Capabilities to exfiltrate documents, keystrokes, screenshots, and browser session data
- Built-in checks for virtualized environments to evade sandboxes
The malware is typically delivered through phishing campaigns with geopolitical lures—many of them referencing recent EU foreign policy developments or NATO-related events. Attachment file types include malicious ZIP archives and Microsoft Office documents containing embedded macros.
Scope of the Campaign
According to recent threat intelligence, the XDSpy campaign is active across six European nations:
- Spain: Targeting trade agencies and infrastructure development contracts
- France: Focused on diplomatic correspondence and industrial R&D collaboration projects
- Portugal: Breaches involving energy regulators and maritime policy institutions
- Italy: Penetration into foreign affairs departments and aerospace contractors
- Belgium: Espionage against EU-based international organizations
- The Netherlands: Monitoring of cross-border trade compliance and diplomatic missions
This geographic targeting reflects an intent to map Europe's regional diplomatic posture, economic partnerships, and response planning amidst current global tensions.
Attack Vectors and Techniques
XDSpy’s attack chain emphasizes stealth, legitimacy, and persistence. The group’s operators craft phishing emails with carefully spoofed sender identities, targeting specific individuals with access to sensitive systems.
Observed TTPs:
- Use of MS Office macros to launch XDigo payloads silently
- Registry modifications to establish persistence without writing new binaries to disk
- Abuse of WinRAR and PowerShell for archive extraction and payload execution
- Deployment of legitimate-looking decoy documents to distract users post-execution
- Exfiltration over HTTPS using compromised FTP servers and commercial cloud platforms
The malware is designed to remain undetected by standard antivirus and EDR solutions, leveraging polymorphic loaders and sandbox-aware logic.
Implications for Europe
This campaign is part of a broader trend of politically motivated cyberespionage across Europe. As geopolitical realignments continue globally, state-aligned cyber operations have intensified their interest in European foreign policy, trade routes, and defense alliances.
Key Impacts:
- Exposure of sensitive EU diplomatic communications
- Potential disruption of economic partnerships and cross-border initiatives
- Strategic intelligence losses related to infrastructure planning and defense cooperation
- Increased vulnerability of smaller EU nations with less cyber defense capability
Recommendations for Government and Enterprise Security Teams
- Conduct targeted spear-phishing simulation and awareness training for high-risk departments
- Enforce macro disabling and restrict execution of scripts from email attachments
- Deploy behavioral analytics and anomaly detection solutions for endpoint monitoring
- Use DNS filtering and TLS inspection to detect encrypted C2 traffic
- Isolate and monitor high-value targets such as foreign affairs and legal teams
- Audit cloud usage and tighten access controls on sensitive document repositories
The XDSpy group’s re-emergence and expansion into Western Europe is a reminder that the cyberespionage threat landscape is evolving rapidly. With updated malware and precise targeting, XDSpy demonstrates that even lesser-known APTs can mount impactful campaigns against major geopolitical and economic players.
For European governments and enterprises alike, this campaign serves as a warning to strengthen digital defenses, invest in proactive threat hunting, and treat cyberespionage not as a possibility—but a certainty.