XE Shifts From Card Skimming to Supply Chain Attacks

A cybercrime group long associated with credit card theft has expanded into targeted information stealing from supply chain organizations in the manufacturing and distribution sectors.

In some of these new attacks the threat actor, whom several vendors track as the XE Group and link to Vietnam, has exploited two zero-day vulnerabilities in VeraCore’s warehouse management platform to install Web shells for executing a variety of malicious actions.

Zero-Day Exploits in VeraCore

In a joint report this week, researchers from Intezer and Solis described the activity they observed recently as a sign of the heightened threat the group presents to organizations.

“XE Group’s evolution from credit card skimming operations to exploiting zero-day vulnerabilities underscores their adaptability and growing sophistication,” the researchers wrote. “By targeting supply chains in the manufacturing and distribution sectors, XE Group not only maximizes the impact of their operations but also demonstrates an acute understanding of systemic vulnerabilities.”

XE Group is a likely Vietnamese threat actor that multiple vendors, including Malwarebytes, Volexity, and Menlo security have tracked for years. The group first surfaced in 2013, and through at least late 2024 was known primarily for leveraging Web vulnerabilities to deploy malware for skimming credit card numbers and associated data from e-commerce sites.

In June 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) identified XE Group as one of several threat actors exploiting vulnerabilities in Progress Telerik software running on government IIS servers and executing remote commands on them. One of the vulnerabilities that CISA identified in its report (CVE-2017-9248) was the same one that Malwarebytes first observed XE Group exploiting back in 2020 in card skimmer attacks targeting ASP.Net sites. That campaign, as Intezer and Solis noted in their report, was notable for its focus on ASP.Net sites, which were rarely targeted at the time. In 2023, Menlo Security reported seeing XE Group deploying multiple strategies, including supply chain attacks to deploy card skimmers on websites, and also setting up fake sites for stealing personal information and selling it in underground forums.

What Solis and Intezer have observed now is a continued expansion of the threat actor’s activities, exploitation techniques, and malware since then. The group’s newer attack tactics include injecting malicious JavaScript into webpages, exploiting vulnerabilities in widely deployed products, and using custom ASPX Web shells to maintain access to compromised system.

XE Group’s Long-Term Cyberattack Objectives

In several of the recent attacks, the threat actor has used the two VeraCore zero-days (CVE-2024-57968, an upload validation vulnerability with a CVSS severity score of 9.9; and CVE-2025-25181, a SQL injection flaw with a 5.8 severity score) to deploy multiple Web shells on compromised systems.

“In at least one instance, Solis and Intezer researchers discovered the threat actor had exploited one of the VeraCore vulnerabilities as far back as January 2020 and had maintained persistent access to the victim’s compromised environment since then,” according to the joint report. “In 2024, the group reactivated a webshell initially deployed [in January 2020], highlighting their ability to remain undetected and reengage targets. Their ability to maintain persistent access to systems … years after initial deployment, highlights the group’s commitment to long-term objectives.”

The XE Group’s recent shift in tactics and targeting are consistent with a broader focus among threat actors on the software supply chain. Though SolarWinds remains perhaps the best known example, there have been several other significant attacks on widely used software products and services. Examples include attacks on Progress Software’s MOVEit file transfer tool, a breach at Okta that affected all of its customers, and a breach at Accellion that allowed attackers to deploy ransomware on some of the company’s customers.