SYMBOLCOMMON_NAMEaka. SYNONYMS
win.xdspy (Back to overview)

XDSpy

VTCollection    

According to ESET Research, XDDown is a primary malware component and is strictly a downloader. It persists on the system using the traditional Run key. It downloads additional plugins from the hardcoded C&C server using the HTTP protocol. The HTTP replies contain PE binaries encrypted with a hardcoded two-byte XOR key. Plugins include a module for reconnaissance on the affected system, crawling drives, file exfiltration, SSID gathering, and grabbing saved passwords.

References
2025-06-16HarfangLabHarfangLab CTR
SadFuture: Mapping XDSpy latest evolution
XDSpy
2021-04-29ESET ResearchAndy Garth, Daniel Chromek, Matthieu Faou, Robert Lipovsky, Tony Anscombe
ESET Industry Report on Government: Targeted but not alone
Exaramel Crutch Exaramel HyperBro HyperSSL InvisiMole XDSpy
2020-10-02ESET ResearchMatthieu Faou
XDSpy: Stealing government secrets since 2011
XDSpy XDSpy
2020-10-01Github (eset)Matthieu Faou
XDSpy Indicators of Compromise
XDSpy XDSpy
2020-09-30Virus BulletinFrancis Labelle, Matthieu Faou
XDSPY: STEALING GOVERNMENT SECRETS SINCE 2011
XDSpy XDSpy
Yara Rules
[TLP:WHITE] win_xdspy_auto (20260504 | Detects win.xdspy.)
rule win_xdspy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.xdspy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xdspy"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7416 ff35???????? 68???????? 56 }
            // n = 4, score = 200
            //   7416                 | je                  0x18
            //   ff35????????         |                     
            //   68????????           |                     
            //   56                   | push                esi

        $sequence_1 = { 50 e8???????? ffb56cd8ffff e8???????? 83c40c 85c0 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   ffb56cd8ffff         | push                dword ptr [ebp - 0x2794]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax

        $sequence_2 = { 8d85b0510000 68???????? 50 e8???????? 56 8d85c84d0000 57 }
            // n = 7, score = 200
            //   8d85b0510000         | lea                 eax, [ebp + 0x51b0]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   56                   | push                esi
            //   8d85c84d0000         | lea                 eax, [ebp + 0x4dc8]
            //   57                   | push                edi

        $sequence_3 = { 8bc8 83e11f 8bf0 c1fe05 c1e106 030cb5804e4100 }
            // n = 6, score = 200
            //   8bc8                 | mov                 ecx, eax
            //   83e11f               | and                 ecx, 0x1f
            //   8bf0                 | mov                 esi, eax
            //   c1fe05               | sar                 esi, 5
            //   c1e106               | shl                 ecx, 6
            //   030cb5804e4100       | add                 ecx, dword ptr [esi*4 + 0x414e80]

        $sequence_4 = { 7413 ff15???????? 3db7000000 7506 57 e8???????? }
            // n = 6, score = 200
            //   7413                 | je                  0x15
            //   ff15????????         |                     
            //   3db7000000           | cmp                 eax, 0xb7
            //   7506                 | jne                 8
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_5 = { c705????????97654000 8935???????? a3???????? ff15???????? a3???????? }
            // n = 5, score = 200
            //   c705????????97654000     |     
            //   8935????????         |                     
            //   a3????????           |                     
            //   ff15????????         |                     
            //   a3????????           |                     

        $sequence_6 = { ffd7 ff75e4 e8???????? 6a16 ff75d8 8d45e8 50 }
            // n = 7, score = 200
            //   ffd7                 | call                edi
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   e8????????           |                     
            //   6a16                 | push                0x16
            //   ff75d8               | push                dword ptr [ebp - 0x28]
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax

        $sequence_7 = { 55 8bec 8b4508 33c9 3b04cd58004100 }
            // n = 5, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   33c9                 | xor                 ecx, ecx
            //   3b04cd58004100       | cmp                 eax, dword ptr [ecx*8 + 0x410058]

        $sequence_8 = { 488d95e01c0000 488bc8 ff15???????? 498bd4 498bcd ffd0 }
            // n = 6, score = 100
            //   488d95e01c0000       | or                  eax, 0xffffffff
            //   488bc8               | dec                 eax
            //   ff15????????         |                     
            //   498bd4               | inc                 eax
            //   498bcd               | sub                 al, 0x2c
            //   ffd0                 | inc                 edx

        $sequence_9 = { 0f1f440000 fe08 488d4001 443838 }
            // n = 4, score = 100
            //   0f1f440000           | dec                 eax
            //   fe08                 | lea                 eax, [ebp + 0x6c0]
            //   488d4001             | cmp                 byte ptr [ebp + 0x6c0], bl
            //   443838               | je                  0x13

        $sequence_10 = { c705????????68002000 c705????????32000d00 c705????????7470646c 66c705????????6675 }
            // n = 4, score = 100
            //   c705????????68002000     |     
            //   c705????????32000d00     |     
            //   c705????????7470646c     |     
            //   66c705????????6675     |     

        $sequence_11 = { 488d4001 3818 75f6 488d85c0060000 389dc0060000 7411 }
            // n = 6, score = 100
            //   488d4001             | dec                 eax
            //   3818                 | lea                 ecx, [ebx + ebx*4]
            //   75f6                 | dec                 eax
            //   488d85c0060000       | lea                 eax, [eax + 1]
            //   389dc0060000         | cmp                 byte ptr [eax], bl
            //   7411                 | jne                 0xfffffff8

        $sequence_12 = { 440fb706 488bcf 488b15???????? 4883c8ff 48ffc0 }
            // n = 5, score = 100
            //   440fb706             | test                ecx, eax
            //   488bcf               | je                  0xd
            //   488b15????????       |                     
            //   4883c8ff             | inc                 edx
            //   48ffc0               | rol                 eax, 1

        $sequence_13 = { eb1d 488d05774a0100 ffcb 488d0c9b }
            // n = 4, score = 100
            //   eb1d                 | jmp                 0x1f
            //   488d05774a0100       | dec                 eax
            //   ffcb                 | lea                 eax, [0x14a77]
            //   488d0c9b             | dec                 ebx

        $sequence_14 = { 85c1 7402 ffc2 d1c0 85c1 7402 }
            // n = 6, score = 100
            //   85c1                 | nop                 dword ptr [eax + eax]
            //   7402                 | dec                 byte ptr [eax]
            //   ffc2                 | dec                 eax
            //   d1c0                 | lea                 eax, [eax + 1]
            //   85c1                 | inc                 esp
            //   7402                 | cmp                 byte ptr [eax], bh

        $sequence_15 = { 2c2c 42888429b8aa1700 48ffc1 4883f90c 7ce4 488bcb 90 }
            // n = 7, score = 100
            //   2c2c                 | test                ecx, eax
            //   42888429b8aa1700     | je                  0xa
            //   48ffc1               | inc                 esp
            //   4883f90c             | movzx               eax, word ptr [esi]
            //   7ce4                 | dec                 eax
            //   488bcb               | mov                 ecx, edi
            //   90                   | dec                 eax

    condition:
        7 of them and filesize < 3244032
}
Download all Yara Rules