XDigo

XDigo is a powerful, Go-based stealer malware crafted by the XDSpy group. First discovered in early 2025, it’s specifically designed to silently infiltrate Eastern European systems—particularly government and corporate networks—and extract a wide range of sensitive data.

---

Threat Overview

Attribute	Details
Threat type	Stealer malware (cyber-espionage tool)
Detection names	Avast (Win64:Malware-gen), ESET-NOD32 (WinGo/Agent.AHZ), Kaspersky (Trojan.Win64.xDigo.a), Microsoft (Trojan:Win32/Yomal!rfn), Combo Cleaner (Gen:Variant.Kryptik.211)
Symptoms of infection	Completely stealthy; no visible impact on performance or file corruption
Damage	Harvests documents, screenshots, clipboard data; enables identity theft, account compromise, financial loss
Distribution methods	Hidden in ZIP archives via malicious Windows shortcut (.LNK) leveraging a zero-day flaw (ZDI-CAN-25373) to deploy ETDownloader, which installs XDigo
Danger level	High – tailored for espionage and targeted theft
Removal tool	SpyHunter – Download SpyHunter

---

In-Depth Threat Analysis

How I Got Infected

Attackers embed malicious Windows shortcut files within ZIP attachments. These exploit a zero-day flaw in Windows LNK parsing (ZDI-CAN-25373), enabling users to activate a hidden downloader when they open the shortcut. That downloader, ETDownloader, then installs XDigo on the system.

What Does XDigo Do?

• File Harvesting: Screens systems for documents (.doc/.pdf/.xls/.zip), archive files, and plaintext files on desktops.
• Data Capture: Takes screenshots, and copies clipboard contents.
• Command & Control: Executes remote commands and downloads additional payloads based on attacker instructions.
• Secure Exfiltration: Bundles collected data into uncompressed ZIP files, encrypts them, and sends them via HTTP POST.
• Evasion Techniques: Evades sandboxes, uses legitimate Windows utilities, and performs anti-analysis checks for stealth.

Additionally, XDigo offers attacker flexibility—allowing them to adjust attack servers, delete files, and expand the types of files to harvest.

Should You Be Worried?

Yes. XDigo is not a nuisance adware—it’s a sophisticated espionage tool used in real-world attacks against government agencies and corporations. Victims face potential leaks of confidential documents, personal data, and system control.

---

Detailed Table: Threat Overview

Category	Details
Threat type	Advanced stealer designed for cyber espionage
Detection names	Multiple AV detections indicate wide recognition: Avast, Kaspersky, Microsoft, ESET, Combo Cleaner
Infection method	Hidden .LNK shortcuts in ZIPs, leveraging LNK parsing flaw to launch ETDownloader and install XDigo
Symptoms	System remains performant; infection silent, no file encryption or data ransom demands
Data targeted	Office documents, archives, .txt files, screenshots, clipboard content
Attacker functions	Remote command execution, file deletion, harvest extension modification, server changes
Evasion tactics	Anti-analysis checks, sandbox bypassing, legitimate utility usage, encrypted data transfer
Damage potential	Data theft, identity compromise, unauthorized remote operations, financial loss
Danger level	High (espionage-grade, targeted)
Removal tool	SpyHunter – Download SpyHunter

Manual Removal of Info-Stealers (For experienced users)

Step 1: Boot into Safe Mode with Networking

Info-stealers often run in the background, making removal difficult. Restarting in Safe Mode with Networking ensures they don’t load at startup.

For Windows 10/11

1. Press Win + R, type msconfig, and hit Enter.
2. In the System Configuration window, go to the Boot tab.
3. Check Safe boot → Network.
4. Click Apply > OK > Restart.

For Windows 7/8

1. Restart your PC and press F8 before Windows loads.
2. Select Safe Mode with Networking and press Enter.

---

Step 2: Stop Malicious Processes in Task Manager

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Look for unusual processes (high CPU usage, unknown names).
3. Right-click on them and select End Task.

Common Info-Stealer Process Names:

• StealC.exe
• RedLine.exe
• Vidar.exe
• ClipBanker.exe
• Randomized system-like names

---

Step 3: Uninstall Suspicious Applications

1. Press Win + R, type appwiz.cpl, and press Enter.
2. Locate any suspicious or unknown programs.
3. Right-click and select Uninstall.

---

Step 4: Delete Malicious Files and Registry Entries

Info-stealers often store files in hidden locations.

Delete Suspicious Files

1. Open File Explorer and navigate to:
   • C:\Users\YourUser\AppData\Local
   • C:\Users\YourUser\AppData\Roaming
   • C:\ProgramData
   • C:\Windows\Temp
2. Delete any suspicious folders with randomized names.

Remove Malicious Registry Entries

1. Press Win + R, type regedit, and hit Enter.
2. Navigate to:
   • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
3. Delete suspicious registry keys (e.g., StealerLoader, TrojanRun).

---

Step 5: Reset Browsers and Flush DNS

Since info-stealers target browsers, clearing stored credentials is essential.

Reset Browser Data

1. Open Chrome, Edge, or Firefox.
2. Go to Settings → Privacy & Security → Clear Browsing Data.
3. Select Passwords, Cookies, and Cached files → Click Clear Data.

Flush DNS Cache

1. Open Command Prompt as Administrator.
2. Type the following commands and press Enter:bashCopyEditipconfig /flushdns ipconfig /release ipconfig /renew
3. Restart your computer.

---

Step 6: Scan for Rootkits

Some info-stealers use rootkit techniques to stay hidden.

1. Download Microsoft Safety Scanner or Malwarebytes Anti-Rootkit.
2. Perform a deep system scan.
3. Remove any detected threats.

---

Step 7: Change All Passwords & Enable 2FA

Since credentials may have been stolen, update passwords immediately for:

• Email accounts
• Banking/finance sites
• Social media accounts
• Cryptocurrency wallets
• Work and business logins

Enable two-factor authentication (2FA) for extra security.

---

Automatic Removal with SpyHunter (Recommended)

(For users who want a fast, reliable removal solution)

SpyHunter is an advanced malware removal tool designed to detect and eliminate info-stealers, trojans, and spyware.

Step 1: Download SpyHunter

Click Here to Download SpyHunter

Step 2: Install and Launch SpyHunter

1. Open the SpyHunter-Installer.exe file from your Downloads folder.
2. Follow the on-screen instructions.
3. Launch SpyHunter after installation.

Step 3: Scan Your System for Info-Stealers

1. Click “Start Scan” to perform a deep scan.
2. SpyHunter will identify all malware-related files.
3. Click “Remove” to eliminate detected threats.

Step 4: Enable SpyHunter’s Real-Time Protection

• Go to Settings → Enable Real-Time Protection.
• This prevents future infections.

---

How to Prevent Info-Stealer Infections

• Avoid Cracked Software & Torrents – These often contain malware.
• Use Strong, Unique Passwords – Consider a password manager.
• Enable Two-Factor Authentication (2FA) – Protects against account theft.
• Keep Windows & Software Updated – Security updates fix vulnerabilities.
• Beware of Phishing Emails – Do not click unknown links or attachments.
• Use a Reliable Anti-Malware Solution – SpyHunter detects and removes threats in real time.

---

Conclusion

XDigo is a formidable and covert threat engineered for high-value cyber-espionage. Its ability to slip past defenses, harvest critical data, and enable remote attacker control makes it exceptionally dangerous for targeted organizations and individuals. If a compromise is suspected, immediate use of a trusted removal tool like SpyHunter is essential. Following cleanup, securing systems via updates, hardened endpoint controls, and user education is critical to prevent reinfection.