The XE Group, a sophisticated Vietnamese-origin cybercrime organization active since 2013, has escalated its operations by exploiting two zero-day vulnerabilities in VeraCore software, CVE-2024-57968 and CVE-2025-25181.
These vulnerabilities, identified in a joint investigation by Intezer and Solis Security, have been used to deploy malware, steal sensitive information, and maintain long-term access to compromised systems.
VeraCore is widely utilized by fulfillment companies and e-retailers for warehouse and order management, making it a lucrative target for supply chain attacks.
The group’s recent activities reflect a notable shift from their earlier focus on credit card skimming to more advanced techniques involving zero-day exploits.
This evolution underscores the growing sophistication of XE Group’s operations and their ability to adapt to emerging opportunities in the cybercrime landscape.
Upload Validation & SQL Injection Flaws
The two exploited vulnerabilities in VeraCore highlight critical security gaps:
- CVE-2024-57968 (Upload Validation Vulnerability): This flaw allowed attackers to bypass file upload security filters and deploy malicious webshells on targeted servers. The webshells provided unauthorized access for data exfiltration and malware deployment.
- CVE-2025-25181 (SQL Injection Vulnerability): This weakness enabled the execution of arbitrary SQL commands, facilitating credential theft and lateral movement within networks.
These vulnerabilities were first exploited as early as 2020, when XE Group gained access to a VeraCore system through SQL injection and uploaded webshells.
Remarkably, they reactivated these webshells in 2024, demonstrating their persistence and strategic patience.
From Credit Card Skimming to Advanced Cybercrime
Initially known for credit card skimming through supply chain attacks, XE Group has evolved into a more dangerous threat actor.
Their earlier campaigns involved injecting malicious JavaScript into payment platforms and deploying password-stealing malware.
However, since 2024, the group has shifted its focus to exploiting enterprise software vulnerabilities for information theft and supply chain disruptions.
The group’s use of customized ASPXSpy webshells authenticated with unique base64-encoded strings has been pivotal in maintaining long-term access to compromised systems.
According to the Intezer, these webshells enable file system exploration, database manipulation, and network reconnaissance.
Additionally, XE Group employs obfuscated PowerShell scripts to load Remote Access Trojans (RATs), further enhancing their stealth and operational reach.
The exploitation of zero-day vulnerabilities by XE Group highlights the critical need for proactive cybersecurity measures.
Organizations using VeraCore or similar software should immediately:
- Apply available patches or disable vulnerable features as advised by vendors.
- Conduct thorough audits of system logs and network traffic for indicators of compromise.
- Implement multi-factor authentication (MFA) to strengthen access controls.
- Monitor threat intelligence feeds for known XE Group tactics and indicators.
The persistence of XE Group’s activities spanning years emphasizes the importance of robust incident response protocols.
Their ability to exploit unpatched vulnerabilities and maintain long-term access poses a severe risk to global supply chains, particularly in the manufacturing and distribution sectors.
XE Group’s transition from credit card skimming to exploiting zero-day vulnerabilities marks a significant escalation in their cybercrime capabilities.
By targeting enterprise software like VeraCore, they have demonstrated adaptability and operational discipline, posing a formidable challenge to cybersecurity defenses worldwide.
The case serves as a stark reminder of the importance of addressing software vulnerabilities promptly and investing in advanced detection systems to mitigate emerging threats.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
