Cyberespionage operation XDSpy has launched phishing attacks aimed at compromising organizations in Russia and Moldova with the DSDownloader malware, according to The Hacker News.
Attackers — who were first discovered by Belarus' Computer Emergency Response Team and subsequently associated by ESET with infostealer attacks against Eastern European government agencies since 2011 — leveraged agreement-spoofing phishing emails to deliver a RAR archive with a malicious DLL, which would execute DSDownloader, a report from Russian Group-IB spinoff F.A.C.C.T. revealed.
DSDownloader would then facilitate next-stage malware downloads while opening a decoy file to evade detection, said F.A.C.C.T researchers, who noted the eventual disappearance of such a payload. Such findings follow XDSpy's attacks with the UTask dropper against Russian firms during the past 12 months and come after Belarusian threat operation GhostWriter, also known as UAC-0057 and UNC1151 was reported by Ukraine's Computer Emergency Response Team to have targeted Ukrainian organizations in phishing attacks deploying the PicassoLoader malware to facilitate Cobalt Strike Beacon compromise.
