The XE Group cybercrime syndicate, active since 2013 and believed to operate from Vietnam, has pivoted from focusing on e-skimming web store operations to exploiting zero-day vulnerabilities for network breaches.
Initially, the group specialized in credit card skimming and password theft, primarily through supply chain attacks and web shells. Over time, XE Group shifted to more sophisticated tactics, now focusing on information theft from supply chains, particularly in the manufacturing and distribution sectors.
According to a joint report from Intezer and Solis, XE Group has leveraged at least two zero-day vulnerabilities in VeraCore, a widely used supply chain management software, to enhance its attacks. The vulnerabilities tracked as CVE-2024-57968 (Upload Validation Vulnerability) and CVE-2025-25181 (SQL Injection), allowed the group to maintain unauthorized access through web shells and other malicious tools.
In one case, the group compromised an organization in 2020, maintaining access to its systems for over four years before reactivating a previously deployed web shell in 2024.
The group deploys custom ASPXSPY web shells that facilitate unauthorized server access, with communication authenticated by unique base64-encoded strings. XE Group also uses obfuscation methods like disguising malicious executables as PNG files, which, when executed, establish reverse shells communicating with malicious domains.
In their most recent campaign, the group reused a server previously compromised in January 2020, exploiting an SQL Injection vulnerability to retrieve valid credentials. This enabled them to upload web shells across different system directories within the VeraCore application, and explore its functionalities to identify specific data or further attack vectors.
“By targeting supply chains in the manufacturing and distribution sectors, XE Group not only maximizes the impact of their operations but also demonstrates an acute understanding of systemic vulnerabilities,” the researchers noted.
