In a recent shift of tactics, the notorious cybercrime group XE Group has transitioned from credit card skimming to exploiting zero-day vulnerabilities in their attacks. This strategic shift has caught the attention of researchers from Intezer and Solis Security, who have been closely monitoring the group’s activities.
XE Group, known to be active since at least 2013, initially focused on credit card skimming and password theft through supply chain attacks. However, their recent operations indicate a significant change in their modus operandi. According to analysis published by Intezer, XE Group now targets supply chains in the manufacturing and distribution sectors, utilizing new vulnerabilities and advanced tactics to achieve their malicious objectives.
The group’s most recent activities involve the exploitation of zero-day vulnerabilities in Advantive VeraCore software. These vulnerabilities, identified as CVE-2024-57968 and CVE-2025-25181, have allowed XE Group to install reverse shells, web shells, and maintain persistence in their targeted systems. The web shells deployed by the group enable various malicious actions, including file system exploration, file exfiltration, network scanning, and SQL queries.
In addition to exploiting vulnerabilities in Advantive VeraCore, XE Group has also been observed targeting vulnerabilities in Telerik UI, such as CVE-2017-9248 and CVE-2019-18935. The group’s tactics include supply chain attacks using malicious JavaScript, custom ASPXSPY web shells, and obfuscated executables disguised as PNG files.
A notable incident involving XE Group was documented on November 5, 2024, when Intezer detected an attack attributed to the group. An EDR system identified post-exploitation activity through a webshell on an IIS server hosting VeraCore’s warehouse management system software. Although the threat actor managed to exfiltrate config files and access remote systems, the EDR system successfully mitigated most of their actions.
The researchers highlighted XE Group’s ability to maintain persistent access to systems, as evidenced by the reactivation of a webshell years after its initial deployment. This demonstrates the group’s long-term objectives and commitment to their malicious activities. By targeting supply chains in specific sectors, XE Group aims to maximize the impact of their operations and exploit systemic vulnerabilities to their advantage.
Understanding the technical intricacies of XE Group’s methods, including the vulnerabilities they exploit and the persistent nature of their attacks, is crucial for defenders seeking to stay ahead of this evolving threat actor. By staying informed and vigilant, organizations can better protect their systems against sophisticated cyber threats like those posed by XE Group.
For the latest updates on cybersecurity threats and trends, follow Pierluigi Paganini on Twitter (@securityaffairs) and other social media platforms. Stay informed and stay safe in the ever-evolving landscape of cybercrime.
Pierluigi Paganini
SecurityAffairs – hacking, newsletter