The XE Group, a sophisticated cybercriminal organization active since at least 2013, has recently been involved in exploiting zero-day vulnerabilities to deploy malware and steal sensitive information.
Initially known for credit card skimming and password theft, the group has shifted its focus to targeted information theft, leveraging advanced tactics and new vulnerabilities.
XE Group was first identified as a threat actor specializing in exploiting web vulnerabilities to deploy credit card skimmers and password-stealing malware.
Their activities have been documented by several cybersecurity organizations, including Malwarebytes, Volexity, and Menlo Security.
Intezer analysts noted that initially, they targeted websites hosted on Microsoft IIS servers running ASP.NET, exploiting known vulnerabilities like CVE-2017-9248 in Telerik UI for ASP.NET.
Recent Activities & Exploited Vulnerabilities
In 2024, XE Group transitioned from credit card skimming to targeted information theft, focusing on supply chains in the manufacturing and distribution sectors.
They leveraged new vulnerabilities and advanced tactics, including the exploitation of zero-day vulnerabilities in VeraCore software, which is widely used by fulfillment companies, commercial printers, and e-retailers.
- CVE-2024-57968: Upload Validation Vulnerability
This vulnerability in VeraCore allowed XE Group to upload any file to the server if not properly configured. The software only checked the size of the uploaded file, making it accessible via the web server. Prior authentication was required to exploit this vulnerability.
- CVE-2025-25181: SQL Injection Vulnerability
Located in the timeoutWarning endpoint of the VeraCore application, this vulnerability allowed for simple SQL injection attacks. The query field concatenated user input with fixed strings, enabling attackers to manipulate SQL queries.
SQL Injection Attack Example:–
-- Example of an obfuscated Transact-SQL statement used to retrieve credentials
-- The query attempts to get information from the USERS table and concatenate it into one string separated by ^
SELECT [USERS_SEQID] + '^' + [USERS_UserID] + '^' + [USERS_Password] + '^' + [USERS_Deleted]After gaining access through SQL injection, XE Group uploaded webshells to maintain unauthorized access. These webshells, such as customized ASPXSPY, were used to communicate with command-and-control servers.
.webp)
The group disguised executables as PNG files, which, when executed, established reverse shells communicating with domains like xegroups[.]com.
XE Group demonstrated exceptional persistence by maintaining long-term access to compromised systems.
In one instance, they reactivated a webshell initially deployed in 2020, highlighting their ability to remain undetected and reengage targets.
Their ability to exploit zero-day vulnerabilities and maintain prolonged access to targeted systems poses a significant threat to cybersecurity.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
