The XE Group, a cybercrime syndicate with suspected Vietnamese origins, has dramatically evolved its operations from traditional credit card skimming to sophisticated zero-day exploitation. This strategic shift demonstrates their growing technical capabilities and willingness to target enterprise supply chain systems using advanced persistent threat techniques.
Executive Summary for Security Leaders
Security teams should be aware of XE Group’s transition from financial theft to targeted information exfiltration through supply chain compromises. The group has demonstrated exceptional persistence, maintaining access to compromised systems for over four years while exploiting critical vulnerabilities in VeraCore supply chain software. Their ability to reactivate dormant web shells years after initial compromise presents unique detection challenges for enterprise security teams.
Technical Analysis of Attack Methodology
The group’s recent campaign leverages two critical vulnerabilities in VeraCore, a platform widely used by fulfillment companies and e-retailers. The attack chain begins with SQL injection to harvest credentials, followed by authentication bypass and web shell deployment. Researchers have identified distinctive markers in their ASPXSPY web shell implementations, including specific authorization headers and base64-encoded command strings that facilitate detection.
Vulnerability Exploitation Details
XE Group’s exploitation of CVE-2024-57968 (CVSS 9.9) and CVE-2025-25181 (CVSS 5.8) demonstrates their ability to identify and weaponize critical flaws in enterprise software. The file upload vulnerability allows authenticated file uploads to unintended directories, while the SQL injection flaw permits arbitrary command execution. This combination creates a potent attack vector for establishing persistent access.
Detection and Mitigation Strategies
Organizations using VeraCore should immediately apply version 2024.4.2.1 to address these vulnerabilities. Security teams should monitor for suspicious file uploads to unusual directories and implement strict parameterized queries to prevent SQL injection. The group’s web shells often contain distinctive strings like “XeThanh|XeGroups” and establish unexpected network connections that can be detected through proper logging and monitoring.
Threat Hunting Recommendations
Effective detection requires monitoring for ASPX files with unusual creation timestamps and unexpected network behavior. Security teams should examine historical system activity, as XE Group has shown the ability to maintain dormant access for extended periods. Credential rotation and thorough investigation of all web-accessible directories are critical components of an effective response.
Implications for Enterprise Security
This case study highlights several concerning trends in cybercrime operations, including the adoption of advanced techniques previously associated with nation-state actors. The group’s focus on supply chain systems and long-term persistence demonstrates a strategic shift toward high-value targets. Security professionals must adapt their detection capabilities to identify these sophisticated, low-and-slow attack patterns.
Conclusion
XE Group’s evolution from credit card skimming to zero-day exploitation represents a significant escalation in cybercriminal capabilities. Their demonstrated persistence and supply chain focus require security teams to implement more thorough investigation procedures and extend their threat hunting timelines. Organizations should prioritize monitoring for the described tactics, techniques, and procedures, particularly those using supply chain management solutions.
