From credit card fraud to zero-day exploits: Xe Group expanding cybercriminal efforts

A cybercriminal organization that has been operating for over a decade has moved from credit-card skimming to exploiting zero-day vulnerabilities, according to a joint investigation by cybersecurity firms Solis Security and Intezer. The group, tracked as XE Group, now poses heightened risks to global supply chains, particularly in manufacturing and distribution sectors, by leveraging stealthier tactics and long-term system access.

Initially identified in 2013 for targeting e-commerce platforms with credit-card skimmers, XE Group has steadily refined its methods. Early campaigns exploited known vulnerabilities in widely used tools like Telerik UI for ASP.NET, deploying webshells — malicious scripts that grant remote server access — to steal payment data. By 2024, the group shifted focus to targeted information theft, exploiting two zero-day vulnerabilities in VeraCore, a supply chain management software used by fulfillment companies and retailers.

The vulnerabilities — an upload validation flaw and a SQL injection flaw — allowed XE Group to infiltrate systems, exfiltrate configuration files, and maintain access for years. Notably, the group reactivated a webshell in 2024 that had been planted in a 2020 breach, demonstrating a sophisticated level of patience and operational discipline. 

CVEs for the flaw have not been made publicly available, but an Intezer representative tells CyberScoop they will be released shortly after final validation from MITRE. VeraCore’s parent company, Adavantive issued a temporary fix for the upload validation flaw in November. Intezer told CyberScoop the SQL flaw remains unpatched.

Emails to Advantive were not returned. 

Researchers found the group’s infrastructure includes domains for command-and-control and hosting skimming tools, which it has used over the years to automate tactics:

• In 2020, the group extracted database credentials via obfuscated Transact-SQL queries, later using them to upload malicious files.
• The group has used customized variants of open-source webshells like ASPXSpy, with features for file manipulation, network scanning, and SQL database reconnaissance. By 2024, these tools included automated data exfiltration and PowerShell-based payload delivery.
• Recent campaigns used native Microsoft Windows utilities like arp and netstat for network mapping, while PowerShell scripts loaded Meterpreter malware — a tool linked to advanced persistent threats — to establish covert communication channels.

One of the most noteworthy findings was XE Group’s ability to maintain access to a compromised system for over four years. In November 2024, the group reused credentials stolen in 2020 to reactivate a webshell, suggesting they prioritize persistence over immediate monetization. This approach allows them to quietly gather intelligence or stage larger attacks.

“These recent discoveries highlight that XE Group is not only active but evolving,” the blog reads. “The group’s ability to exploit unknown vulnerabilities and sustain prolonged access to targeted systems reflects a significant shift in their operational strategy.”

Previous research on XE Group points to it likely being located in Vietnam. While definitive attribution remains challenging, historical markers — including Vietnamese-linked email addresses and pseudonyms like “XeThanh” — suggest a well-resourced operation, yet minimal efforts to obscure its identity. The lack of obscurity means the XE Group is unlikely to be state-aligned, since those groups typically employ stricter operational security.