XDDown Downloader Malware Tool Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on XDDown Downloader, hacker group XDSpy's malware tool, leverages spear-phishing tactics to propagate.
Updated on
May 22, 2023
Published on
November 4, 2020
Subscribe to the latest industry news, threats and resources.
Malware tool
Method of deployment 
  XDDown Downloader is a malware tool that is part of XDSpy’s arsenal. XDSpy is a hacker group that has been active since 2011. The group’s operations were detected in October 2020, targeting the region of Eastern Europe and the Balkans.  The group uses spear-phishing tactics to propagate the malware. The email's content is updated frequently to adapt and bank off of current events such as the pandemic. The threat group attaches ZIP and RAR archives to carry the malicious LNK or PowerPoint file. In some cases the emails come without any attached files, and include only a direct download link. Once the user clicks over the link or downloads the malicious file, it initiates a corrupted script to drop XDDown on the compromised machine to a location at %APPDATA%\WINinit\WINlogon.exe. Also, persistence is achieved by exploiting a Windows registry Run key by command.  The key features of XDDown modules include:
  • XDREcon scans the host, gathers technical specs and OS details, and informs the XDDown/ XDSpy command-and-control (C2) server.
  • XDList hunts down files with specific file extensions (Office-related files, PDFs, and address books) in the infected machine.
  • XDMonitor monitors and identifies what devices were connected to the infected host.
  • XDUpload uploads files that are not identified by XDList, to the XDXpy server.
  • XDLoc gathers information about nearby WiFi networks to track users’ movements, using maps of public WiFi networks.
  • XDPass extracts passwords from locally installed browsers.


  1. Damage to the reputation as people lose confidence in the brand.
  2. Business disruption in terms of its income.
  3. Disclosure of PII and confidential documents.


  1. Training sessions for employees creating awareness regarding phishing scenarios. 
  2. Deploy a spam filter.
  3. Deploy latest security patches and updates for systems.
  4. Use an antivirus software.
  5. Use web filters to block malicious websites.
  6. Encrypt all sensitive company information.

Indicators of Compromise

  • 63B988D0869C6A099C7A57AAFEA612A90E30C10F
  • AE34BEDBD39DA813E094E974A9E181A686D66069
  • B807756E9CD7D131BD42C2F681878C7855063FE2
C&C Servers
  • 365downloading.com
  • boborux.com
  • chtcc.net
  • cracratutu.com
  • daftsync.com
  • documentsklad.com
  • download-365.com
  • downloadsprimary.com
  • dropsklad.com
  • easytosay.org
  • ferrariframework.com
  • file-download.org
  • filedownload.email
  • getthatupdate.com
  • jerseygameengine.com
  • maiwegwurst.com
  • migration-info.com
  • minisnowhair.com
  • nomatterwhat.info
  • officeupdtcentr.com
  • seatwowave.com
  • Wildboarcontest.com
Old network infrastructure
  • forgeron.tk
  • jahre999.tk
  • omgtech.000space.com
  • podzim.tk
  • porfavor876.tk
  • replacerc.000space.com

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations