{"id":5143,"date":"2020-10-09T11:00:48","date_gmt":"2020-10-09T08:00:48","guid":{"rendered":"https:\/\/blog.eset.ee\/?p=5143"},"modified":"2020-10-09T14:10:54","modified_gmt":"2020-10-09T11:10:54","slug":"xdspy-stealing-government-secrets-since-2011","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/","title":{"rendered":"XDSpy: Stealing government secrets since 2011"},"content":{"rendered":"\n<p>Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an&nbsp;<a href=\"https:\/\/cert.by\/?p=1458\" target=\"_blank\" rel=\"noreferrer noopener\">advisory<\/a>&nbsp;from the Belarusian CERT in February 2020. In the interim, the group has compromised many government agencies and private companies in Eastern Europe and the Balkans.<\/p>\n\n\n\n<p>This blogpost is a summary, with updated information about the compromise vectors and Indicators of Compromise, of research that we\u2019ve presented at the Virus Bulletin 2020 conference (see the&nbsp;<a href=\"https:\/\/vblocalhost.com\/uploads\/VB2020-Faou-Labelle.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">full paper<\/a>&nbsp;and the&nbsp;<a href=\"https:\/\/vblocalhost.com\/presentations\/xdspy-stealing-government-secrets-since-2011\/\" target=\"_blank\" rel=\"noreferrer noopener\">presentation<\/a>).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Targets<\/h2>\n\n\n\n<p>Targets of the XDSpy group are located in Eastern Europe and the Balkans and are primarily government entities, including militaries and Ministries of Foreign Affairs, and private companies. Figure 1 shows the location of known victims according to ESET telemetry.<a  href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2020\/09\/Figure-1.-Map-of-XDSpy-victims-according-to-ESET-telemetry-Belarus-Moldova-Russia-Serbia-and-Ukraine.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"371\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-1.-Map-of-XDSpy-victims-according-to-ESET-telemetry-Belarus-Moldova-Russia-Serbia-and-Ukraine-768x371-1.png\" alt=\"\" class=\"wp-image-5152\" srcset=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-1.-Map-of-XDSpy-victims-according-to-ESET-telemetry-Belarus-Moldova-Russia-Serbia-and-Ukraine-768x371-1.png 768w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-1.-Map-of-XDSpy-victims-according-to-ESET-telemetry-Belarus-Moldova-Russia-Serbia-and-Ukraine-768x371-1-190x92.png 190w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<p><em>Figure 1. Map of XDSpy victims according to ESET telemetry (Belarus, Moldova, Russia, Serbia and Ukraine)<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Attribution<\/h2>\n\n\n\n<p>After careful research, we were not able to link XDSpy to any publicly known APT group:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>We did not find any code similarity with other malware families.<\/li><li>We did not observe any overlap in the network infrastructure.<\/li><li>We are not aware of another APT group targeting these specific countries and verticals.<\/li><\/ul>\n\n\n\n<p>Moreover, the group has been active for more than nine years. So, had such an overlap existed, we believe that it would have been noticed, and the group uncovered, a long time ago.<\/p>\n\n\n\n<p>We believe that the developers might be working in the UTC+2 or UTC+3 time zone, which is also the time zone of most of the targets. We also noticed they were only working from Monday to Friday, suggesting a professional activity.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Compromise vectors<\/h2>\n\n\n\n<p>XDSpy operators mainly seem to use spearphishing emails in order to compromise their targets. In fact, this is the only compromise vector that we have observed. However, the emails tend to vary a bit: some contain an attachment while others contain a link to a malicious file. The first layer of the malicious file or attachment is generally a ZIP or RAR archive.<\/p>\n\n\n\n<p>Figure 2 is an example of an XDSpy spearphishing email sent in February 2020.<a  href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2020\/09\/Figure-2.-Spearphishing-email-sent-by-XDSpys-operators-in-February-2020.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"622\" height=\"200\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-2.-Spearphishing-email-sent-by-XDSpys-operators-in-February-2020.png\" alt=\"\" class=\"wp-image-5155\" srcset=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-2.-Spearphishing-email-sent-by-XDSpys-operators-in-February-2020.png 622w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-2.-Spearphishing-email-sent-by-XDSpys-operators-in-February-2020-190x61.png 190w\" sizes=\"auto, (max-width: 622px) 100vw, 622px\" \/><\/figure>\n\n\n\n<p><em>Figure 2. Spearphishing email sent by XDSpy\u2019s operators in February 2020<\/em><\/p>\n\n\n\n<p>Roughly translated, the body of the email says:<em>Good afternoon!<\/em><br><em>I am sending you a copy of the letter and photo materials based on the results of the work. Click on the link to download: photo materials_11.02.2020.zip<\/em><br><em>We are waiting for an answer until the end of the working day.<\/em><\/p>\n\n\n\n<p>The link points to a ZIP archive that contains an LNK file, without any decoy document. When the victim double-clicks on it, the LNK downloads an additional script that installs XDDown, the main malware component.<\/p>\n\n\n\n<p>After our paper was submitted to Virus Bulletin, we continued to track the group and, after a pause between March and June 2020, they came back. At the end of June 2020, the operators stepped up their game by using a vulnerability in Internet Explorer, CVE-2020-0968, which had been patched in April 2020. Instead of delivering an archive with a LNK file, the C&amp;C server was delivering an RTF file that, once opened, downloaded an HTML file exploiting the aforementioned vulnerability.<\/p>\n\n\n\n<p>CVE-2020-0968 is part of a set of similar vulnerabilities in the IE legacy JavaScript engine disclosed in the last two years. At the time it was exploited by XDSpy, no proof-of-concept and very little information about this specific vulnerability was available online. We think that XDSpy either bought this exploit from a broker or developed a 1-day exploit themselves by looking at previous exploits for inspiration.<\/p>\n\n\n\n<p>It is interesting to note that this exploit bears similarities with exploits previously used in&nbsp;<a href=\"https:\/\/blogs.jpcert.or.jp\/en\/2020\/04\/ie-firefox-0day.html\" target=\"_blank\" rel=\"noreferrer noopener\">DarkHotel campaigns<\/a>, as shown in Figure 3. It is also almost identical to the exploit used in&nbsp;<a href=\"https:\/\/ti.dbappsecurity.com.cn\/blog\/index.php\/2020\/09\/18\/operation-domino\/\" target=\"_blank\" rel=\"noreferrer noopener\">Operation Domino<\/a>&nbsp;in September 2020, which was uploaded to VirusTotal from Belarus.<\/p>\n\n\n\n<p>Given that we don\u2019t believe XDSpy is linked to DarkHotel and that Operation Domino looks quite different from XDSpy, it is likely that the three groups share the same exploit broker.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"434\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-3.-Parts-of-the-exploit-code-including-the-beginning-are-similar-to-that-used-in-a-DarkHotel-campaign-described-by-JPCERT-768x434-1.png\" alt=\"\" class=\"wp-image-5158\" srcset=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-3.-Parts-of-the-exploit-code-including-the-beginning-are-similar-to-that-used-in-a-DarkHotel-campaign-described-by-JPCERT-768x434-1.png 768w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-3.-Parts-of-the-exploit-code-including-the-beginning-are-similar-to-that-used-in-a-DarkHotel-campaign-described-by-JPCERT-768x434-1-190x107.png 190w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<p><a  href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2020\/09\/Figure-3.-Parts-of-the-exploit-code-including-the-beginning-are-similar-to-that-used-in-a-DarkHotel-campaign-described-by-JPCERT.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><\/a><em>Figure 3. Parts of the exploit code, including the beginning, are similar to that used in a DarkHotel campaign described by JPCERT<\/em><\/p>\n\n\n\n<p>Finally, the group jumped on the COVID-19 wagon at least twice in 2020. It first used this theme in a spearphishing campaign against Belarusian institutions in February 2020. Then, in September 2020, they reused this theme against Russian-speaking targets. The archive contained a malicious Windows Script File (WSF) that downloads XDDown, as shown in Figure 4, and they used official website rospotrebnadzor.ru as a decoy, as shown in Figure 5.<a  href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2020\/09\/Figure-4.-Part-of-the-script-that-downloads-XDDown.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"394\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-4.-Part-of-the-script-that-downloads-XDDown-768x394-1.png\" alt=\"\" class=\"wp-image-5161\" srcset=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-4.-Part-of-the-script-that-downloads-XDDown-768x394-1.png 768w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-4.-Part-of-the-script-that-downloads-XDDown-768x394-1-190x97.png 190w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<p><em>Figure 4. Part of the script that downloads XDDown<\/em><a  href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2020\/09\/Figure-5.-Part-of-the-script-that-opens-the-decoy-URL.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"362\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-5.-Part-of-the-script-that-opens-the-decoy-URL-768x362-1.png\" alt=\"\" class=\"wp-image-5164\" srcset=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-5.-Part-of-the-script-that-opens-the-decoy-URL-768x362-1.png 768w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-5.-Part-of-the-script-that-opens-the-decoy-URL-768x362-1-190x90.png 190w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<p><em>Figure 5. Part of the script that opens the decoy URL<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Malware components<\/h2>\n\n\n\n<p>Figure 4 shows the malware architecture in a scenario where the compromise happens through a LNK file, as was the case in February 2020.<a  href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2020\/09\/Figure-6.-XDSpy%E2%80%99s-malware-architecture.-XDLoc-and-XDPass-are-dropped-in-no-particular-order..png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"419\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-6.-XDSpys-malware-architecture.-XDLoc-and-XDPass-are-dropped-in-no-particular-order.-768x419-1.png\" alt=\"\" class=\"wp-image-5167\" srcset=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-6.-XDSpys-malware-architecture.-XDLoc-and-XDPass-are-dropped-in-no-particular-order.-768x419-1.png 768w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-6.-XDSpys-malware-architecture.-XDLoc-and-XDPass-are-dropped-in-no-particular-order.-768x419-1-190x104.png 190w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<p><em>Figure 6. XDSpy\u2019s malware architecture. XDLoc and XDPass are dropped in no particular order<\/em><\/p>\n\n\n\n<p>XDDown is the main malware component and is strictly a downloader. It persists on the system using the traditional Run key. It downloads additional plugins from the hardcoded C&amp;C server using the HTTP protocol. The HTTP replies contain PE binaries encrypted with a hardcoded two-byte XOR key.<\/p>\n\n\n\n<p>During our research, we discovered the following plugins:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>XDRecon: Gathers basic information about the victim machine (the computer name, the current username and the Volume Serial Number of the main drive).<\/li><li>XDList: Crawls the C: drive for interesting files (.accdb,&nbsp;.doc,&nbsp;.docm,&nbsp;.docx,&nbsp;.mdb,&nbsp;.xls,&nbsp;.xlm,&nbsp;.xlsx,&nbsp;.xlsm,&nbsp;.odt,&nbsp;.ost,&nbsp;.ppt,&nbsp;.pptm,&nbsp;.ppsm,&nbsp;.pptx,&nbsp;.sldm,&nbsp;.pst,&nbsp;.msg,&nbsp;.pdf,&nbsp;.eml,&nbsp;.wab) and exfiltrates the paths of these files. It can also take screenshots.<\/li><li>XDMonitor: Similar to XDList. It also monitors removable drives to exfiltrate the files matching an interesting extension.<\/li><li>XDUpload: Exfiltrates a hardcoded list of files from the filesystem to the C&amp;C server, as shown in Figure 5. The paths were sent to the C&amp;C servers by XDList and XDMonitor.<a  href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2020\/09\/Figure-7.-Loop-uploading-a-hardcoded-list-of-files-to-the-CC-server-partially-redacted.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><\/a><\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"417\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-7.-Loop-uploading-a-hardcoded-list-of-files-to-the-CC-server-partially-redacted-768x417-1.png\" alt=\"\" class=\"wp-image-5170\" srcset=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-7.-Loop-uploading-a-hardcoded-list-of-files-to-the-CC-server-partially-redacted-768x417-1.png 768w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/Figure-7.-Loop-uploading-a-hardcoded-list-of-files-to-the-CC-server-partially-redacted-768x417-1-190x103.png 190w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<p><em>Figure 7. Loop uploading a hardcoded list of files to the C&amp;C server (partially redacted)<\/em><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>XDLoc: Gathers nearby SSIDs (such as Wi-Fi access points), probably in order to geo-locate the victim machines.<\/li><li>XDPass: Grabs saved passwords from various applications such as web browsers and email programs.<\/li><\/ul>\n\n\n\n<p>More details about the various malware components can be found in the&nbsp;<a href=\"https:\/\/vblocalhost.com\/uploads\/VB2020-Faou-Labelle.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">white paper<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>XDSpy is a cyberespionage group mostly undetected for more than nine years while being very busy over the past few months. It is mostly interested in stealing documents from government entities in Eastern Europe and the Balkans. This targeting is quite unusual and makes it an interesting group to follow.<\/p>\n\n\n\n<p>The group\u2019s technical proficiency tends to vary a bit. It has used the same basic malware architecture for nine years, but it also recently exploited a vulnerability patched by the vendor but for which no public proof-of-concept exists, a so-called 1-day exploit.<\/p>\n\n\n\n<p><em>For any inquiries, or to make sample submissions related to the subject, contact us at&nbsp;<\/em><a href=\"mailto:threatintel@eset.com\"><em>threatintel@eset.com<\/em><\/a><em>.<\/em><\/p>\n\n\n\n<p><em>Special thanks to Francis Labelle for his work on this investigation.<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Compromise<\/h2>\n\n\n\n<p>The comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our&nbsp;<a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/xdspy\/\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub repository<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Malware components<\/h3>\n\n\n\n<figure id=\"tablepress-876\" class=\"wp-block-table\"><table><thead><tr><th>SHA-1<\/th><th>ESET detection name<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>C125A05CC87EA45BB5D5D07D62946DAEE1160F73<\/td><td>JS\/TrojanDropper.Agent.OAZ<\/td><td>Spearphishing email (2015)<\/td><\/tr><tr><td>99729AC323FC8A812FA2C8BE9AE82DF0F9B502CA<\/td><td>LNK\/TrojanDownloader.Agent.YJ<\/td><td>Malicious LNK downloader<\/td><\/tr><tr><td>63B988D0869C6A099C7A57AAFEA612A90E30C10F<\/td><td>Win64\/Agent.VB<\/td><td>XDDown<\/td><\/tr><tr><td>BB7A10F816D6FFFECB297D0BAE3BC2C0F2F2FFC6<\/td><td>Win32\/Agent.ABQB<\/td><td>XDDown (oldest known sample)<\/td><\/tr><tr><td>844A3854F67F4F524992BCD90F8752404DF1DA11<\/td><td>Win64\/Spy.Agent.CC<\/td><td>XDRecon<\/td><\/tr><tr><td>B333043B47ABE49156195CC66C97B9F488E83442<\/td><td>Win64\/Spy.Agent.CC<\/td><td>XDUpload<\/td><\/tr><tr><td>83EF84052AD9E7954ECE216A1479ABA9D403C36D<\/td><td>Win64\/Spy.Agent.CC<\/td><td>XDUpload<\/td><\/tr><tr><td>88410D6EB663FBA2FD2826083A3999C3D3BD07C9<\/td><td>Win32\/Agent.ABYL<\/td><td>XDLoc<\/td><\/tr><tr><td>CFD43C7A993EC2F203B17A9E6B8B392E9A296243<\/td><td>Win32\/PSW.Agent.OJS<\/td><td>XDPass<\/td><\/tr><tr><td>3B8445AA70D01DEA553A7B198A767798F52BB68A<\/td><td>DOC\/Abnormal.V<\/td><td>Malicious RTF file that downloads the CVE-2020-0968 exploit<\/td><\/tr><tr><td>AE34BEDBD39DA813E094E974A9E181A686D66069<\/td><td>Win64\/Agent.ACG<\/td><td>XDDown<\/td><\/tr><tr><td>5FE5EE492DE157AA745F3DE7AE8AA095E0AFB994<\/td><td>VBS\/TrojanDropper.Agent.OLJ<\/td><td>Malicious script (Sep 2020)<\/td><\/tr><tr><td>B807756E9CD7D131BD42C2F681878C7855063FE2<\/td><td>Win64\/Agent.AEJ<\/td><td>XDDown (most recent as of writing)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Filenames \/ Paths<\/h3>\n\n\n\n<p>%APPDATA%\\Temp.NET\\archset.dat<br>%APPDATA%\\Temp.NET\\hdir.dat<br>%APPDATA%\\Temp.NET\\list.dat<br>%TEMP%\\tmp%YEAR%%MONTH%%DAY%_%TICK_COUNT%.s<br>%TEMP%\\fl637136486220077590.data<br>wgl.dat<br>Windows Broker Manager.dat<br>%TEMP%\\Usermode COM Manager.dat<br>%TEMP%\\Usermode COM Manager.exe<br>%APPDATA%\\WINinit\\WINlogon.exe<br>%APPDATA%\\msprotectexp\\mswinexp.exe<br>%APPDATA%\\msvdemo\\msbrowsmc.exe<br>%APPDATA%\\Explorer\\msdmcm6.exe<br>%APPDATA%\\Explorer\\browsms.exe<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Network<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Used in 2019-2020<\/strong><\/h4>\n\n\n\n<p>downloadsprimary[.]com<br>filedownload[.]email<br>file-download[.]org<br>minisnowhair[.]com<br>download-365[.]com<br>365downloading.com<br>officeupdtcentr[.]com<br>dropsklad[.]com<br>getthatupdate[.]com<br>boborux[.]com<br>easytosay[.]org<br>daftsync[.]com<br>documentsklad[.]com<br>wildboarcontest[.]com<br>nomatterwhat[.]info<br>maiwegwurst[.]com<br>migration-info[.]com<br>jerseygameengine[.]com<br>seatwowave[.]com<br>cracratutu[.]com<br>chtcc[.]net<br>ferrariframework[.]com<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Old network infrastructure<\/strong><\/h4>\n\n\n\n<p>62.213.213[.]170<br>93.63.198[.]40<br>95.215.60[.]53<br>forgeron[.]tk<br>jahre999[.]tk<br>omgtech.000space[.]com<br>podzim[.]tk<br>porfavor876[.]tk<br>replacerc.000space[.]com<br>settimana987[.]tk<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">MITRE ATT&amp;CK techniques<\/h2>\n\n\n\n<p><em>Note: This table was built using&nbsp;<\/em><a href=\"https:\/\/attack.mitre.org\/versions\/v7\/\" target=\"_blank\" rel=\"noreferrer noopener\"><em>version 7<\/em><\/a><em>&nbsp;of the MITRE ATT&amp;CK framework.<\/em><\/p>\n\n\n\n<figure id=\"tablepress-877\" class=\"wp-block-table\">\n    <table>\n        <thead>\n            <tr>\n                <th>Tactic<\/th>\n                <th>ID<\/th>\n                <th>Name<\/th>\n                <th>Description<\/th>\n            <\/tr>\n        <\/thead>\n        <tbody>\n            <tr>\n                <td>Initial Access<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1566\/001\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1566.001<\/a><\/td>\n                <td>Phishing: Spearphishing Attachment<\/td>\n                <td>XDSpy has sent spearphishing emails with a malicious attachment.<\/td>\n            <\/tr>\n            <tr>\n            \t<td>&nbsp;<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1566\/002\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1566.002<\/a><\/td>\n                <td>Phishing: Spearphishing Link<\/td>\n                <td>XDSpy has sent spearphishing emails with a link to a malicious archive.<\/td>\n            <\/tr>\n            <tr>\n                <td>Execution<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1203\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1203<\/a><\/td>\n                <td>Exploitation for Client Execution<\/td>\n                <td>XDSpy has exploited a vulnerability (CVE-2020-0968) in Internet Explorer (triggered by a malicious RTF file).<\/td>\n            <\/tr>\n            <tr>\n            \t<td>&nbsp;<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1204\/001\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1204.001<\/a><\/td>\n                <td>User Execution: Malicious Link<\/td>\n                <td>XDSpy has lured targets to download malicious archives containing malicious files such as LNK.<\/td>\n            <\/tr>\n            <tr>\n            \t<td>&nbsp;<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1204\/002\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1204.002<\/a><\/td>\n                <td>User Execution: Malicious File<\/td>\n                <td>XDSpy has lured targets to execute malicious files such as LNK or RTF.<\/td>\n            <\/tr>\n            <tr>\n                <td>Persistence<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1547\/001\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1547.001<\/a><\/td>\n                <td>Boot or Logon Autostart Execution: Registry Run Keys \/ Startup Folder<\/td>\n                <td>XDDownload persists using the Run key.<\/td>\n            <\/tr>\n            <tr>\n                <td>Discovery<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1033\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1033<\/a><\/td>\n                <td>System Owner\/User Discovery<\/td>\n                <td>XDRecon sends the username to the C&amp;C server.<\/td>\n            <\/tr>\n            <tr>\n            \t<td>&nbsp;<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1082\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1082<\/a><\/td>\n                <td>System Information Discovery<\/td>\n                <td>XDRecon sends the computer name and the main drive Volume Serial Number to the C&amp;C server.<\/td>\n            <\/tr>\n            <tr>\n            \t<td>&nbsp;<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1083\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1083<\/a><\/td>\n                <td>File and Directory Discovery<\/td>\n                <td>XDList and XDMonitor monitor the local system and the removable drive. A list of interesting paths, that matches a list of hardcoded extension, is sent to the C&amp;C server.<\/td>\n            <\/tr>\n            <tr>\n                <td>Collection<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1005\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1005<\/a><\/td>\n                <td>Data from Local System<\/td>\n                <td>XDUpload exfiltrates files from the local drive. The paths of the files to be uploaded are hardcoded in the malware samples.<\/td>\n            <\/tr>\n            <tr>\n            \t<td>&nbsp;<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1025\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1025<\/a><\/td>\n                <td>Data from Removable Media<\/td>\n                <td>XDMonitor exfiltrates files from removable drives.<\/td>\n            <\/tr>\n            <tr>\n            \t<td>&nbsp;<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1113\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1113<\/a><\/td>\n                <td>Screen Capture<\/td>\n                <td>XDList, XDMonitor and XDUpload take screenshots and send them to the C&amp;C server.<\/td>\n            <\/tr>\n            <tr>\n            \t<td>&nbsp;<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1119\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1119<\/a><\/td>\n                <td>Automated Collection<\/td>\n                <td>\n                    XDMonitor exfiltrates files from removable drives that match specific extensions.<br>\n                    XDUpload exfiltrates local files that are located at one the paths hardcoded in the malware samples.\n                <\/td>\n            <\/tr>\n            <tr>\n                <td>Command and Control<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1071\/001\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1071.001<\/a><\/td>\n                <td>Application Layer Protocol: Web Protocols<\/td>\n                <td>XDSpy uses HTTP for command and control.<\/td>\n            <\/tr>\n            <tr>\n            \t<td>&nbsp;<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1573\/001\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1573.001<\/a><\/td>\n                <td>Encrypted Channel: Symmetric Cryptography<\/td>\n                <td>XDDownload downloads additional components encrypted with a 2-byte static XOR key.<\/td>\n            <\/tr>\n            <tr>\n                <td>Exfiltration<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1020\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1020<\/a><\/td>\n                <td>Automated Exfiltration<\/td>\n                <td>XDMonitor and XDUpload automatically exfiltrate collected files.<\/td>\n            <\/tr>\n            <tr>\n            \t<td>&nbsp;<\/td>\n                <td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1041\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1041<\/a><\/td>\n                <td>Exfiltration Over C2 Channel<\/td>\n                <td>XDSpy exfiltrate stolen data using the C&amp;C channel.<\/td>\n            <\/tr>\n        <\/tbody>\n    <\/table>\n<\/figure>\n\n\n\n<p><a href=\"https:\/\/www.welivesecurity.com\/author\/mfaou\/\">Source: Welivesecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an&nbsp;advisory&nbsp;from the Belarusian CERT in February 2020. In the interim, the group has compromised many government<\/p>\n","protected":false},"author":5,"featured_media":5179,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[160],"tags":[],"class_list":["post-5143","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.2 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>XDSpy: Stealing government secrets since 2011 - ESET Eesti Blogi<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"XDSpy: Stealing government secrets since 2011\" \/>\n<meta property=\"og:description\" content=\"Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an&nbsp;advisory&nbsp;from the Belarusian CERT in February 2020. In the interim, the group has compromised many government\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/\" \/>\n<meta property=\"og:site_name\" content=\"ESET Eesti Blogi\" \/>\n<meta property=\"article:publisher\" content=\"http:\/\/www.facebook.com\/antiviirus\" \/>\n<meta property=\"article:published_time\" content=\"2020-10-09T08:00:48+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-10-09T11:10:54+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/5-steps-secure-connected-devices-home-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"ESET Blog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ESET Blog\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/10\\\/09\\\/xdspy-stealing-government-secrets-since-2011\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/10\\\/09\\\/xdspy-stealing-government-secrets-since-2011\\\/\"},\"author\":{\"name\":\"ESET Blog\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\"},\"headline\":\"XDSpy: Stealing government secrets since 2011\",\"datePublished\":\"2020-10-09T08:00:48+00:00\",\"dateModified\":\"2020-10-09T11:10:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/10\\\/09\\\/xdspy-stealing-government-secrets-since-2011\\\/\"},\"wordCount\":1910,\"image\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/10\\\/09\\\/xdspy-stealing-government-secrets-since-2011\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/5-steps-secure-connected-devices-home-1.jpg\",\"articleSection\":[\"malware\"],\"inLanguage\":\"en-US\",\"copyrightYear\":\"2020\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/10\\\/09\\\/xdspy-stealing-government-secrets-since-2011\\\/\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/10\\\/09\\\/xdspy-stealing-government-secrets-since-2011\\\/\",\"name\":\"XDSpy: Stealing government secrets since 2011 - ESET Eesti Blogi\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/10\\\/09\\\/xdspy-stealing-government-secrets-since-2011\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/10\\\/09\\\/xdspy-stealing-government-secrets-since-2011\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/5-steps-secure-connected-devices-home-1.jpg\",\"datePublished\":\"2020-10-09T08:00:48+00:00\",\"dateModified\":\"2020-10-09T11:10:54+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/10\\\/09\\\/xdspy-stealing-government-secrets-since-2011\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/10\\\/09\\\/xdspy-stealing-government-secrets-since-2011\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/10\\\/09\\\/xdspy-stealing-government-secrets-since-2011\\\/#primaryimage\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/5-steps-secure-connected-devices-home-1.jpg\",\"contentUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/5-steps-secure-connected-devices-home-1.jpg\",\"width\":1920,\"height\":1280},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/10\\\/09\\\/xdspy-stealing-government-secrets-since-2011\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"XDSpy: Stealing government secrets since 2011\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/\",\"name\":\"ESET Eesti Blogi\",\"description\":\"Uudised IT maailmast\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\",\"name\":\"ESET Blog\",\"sameAs\":[\"http:\\\/\\\/eset.ee\"],\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/author\\\/allankinsigo\\\/\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/10\\\/09\\\/xdspy-stealing-government-secrets-since-2011\\\/#local-main-organization-logo\",\"url\":\"\",\"contentUrl\":\"\",\"caption\":\"ESET EESTI\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"XDSpy: Stealing government secrets since 2011 - ESET Eesti Blogi","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/","og_locale":"en_US","og_type":"article","og_title":"XDSpy: Stealing government secrets since 2011","og_description":"Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an&nbsp;advisory&nbsp;from the Belarusian CERT in February 2020. In the interim, the group has compromised many government","og_url":"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/","og_site_name":"ESET Eesti Blogi","article_publisher":"http:\/\/www.facebook.com\/antiviirus","article_published_time":"2020-10-09T08:00:48+00:00","article_modified_time":"2020-10-09T11:10:54+00:00","og_image":[{"width":1920,"height":1280,"url":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/5-steps-secure-connected-devices-home-1.jpg","type":"image\/jpeg"}],"author":"ESET Blog","twitter_card":"summary_large_image","twitter_misc":{"Written by":"ESET Blog","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/#article","isPartOf":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/"},"author":{"name":"ESET Blog","@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88"},"headline":"XDSpy: Stealing government secrets since 2011","datePublished":"2020-10-09T08:00:48+00:00","dateModified":"2020-10-09T11:10:54+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/"},"wordCount":1910,"image":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/5-steps-secure-connected-devices-home-1.jpg","articleSection":["malware"],"inLanguage":"en-US","copyrightYear":"2020","copyrightHolder":{"@id":"https:\/\/blog.eset.ee\/et\/#organization"}},{"@type":"WebPage","@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/","url":"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/","name":"XDSpy: Stealing government secrets since 2011 - ESET Eesti Blogi","isPartOf":{"@id":"https:\/\/blog.eset.ee\/et\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/#primaryimage"},"image":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/5-steps-secure-connected-devices-home-1.jpg","datePublished":"2020-10-09T08:00:48+00:00","dateModified":"2020-10-09T11:10:54+00:00","author":{"@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88"},"breadcrumb":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/#primaryimage","url":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/5-steps-secure-connected-devices-home-1.jpg","contentUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/10\/5-steps-secure-connected-devices-home-1.jpg","width":1920,"height":1280},{"@type":"BreadcrumbList","@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.eset.ee\/et\/en\/"},{"@type":"ListItem","position":2,"name":"XDSpy: Stealing government secrets since 2011"}]},{"@type":"WebSite","@id":"https:\/\/blog.eset.ee\/et\/en\/#website","url":"https:\/\/blog.eset.ee\/et\/en\/","name":"ESET Eesti Blogi","description":"Uudised IT maailmast","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.eset.ee\/et\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88","name":"ESET Blog","sameAs":["http:\/\/eset.ee"],"url":"https:\/\/blog.eset.ee\/et\/en\/author\/allankinsigo\/"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/10\/09\/xdspy-stealing-government-secrets-since-2011\/#local-main-organization-logo","url":"","contentUrl":"","caption":"ESET EESTI"}]}},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/5143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=5143"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/5143\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/5179"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=5143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=5143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=5143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}