Full Report
XE Group, likely a Vietnam-linked hacking collective that has been active in the cyber threat arena for over a decade is believed to be behind the exploitation of a couple of VeraCore zero-day vulnerabilities. During the latest campaign, adversaries weaponized VeraCore flaws tracked as CVE-2024-57968 and CVE-2025-25181 to deploy reverse shells and web shells, ensuring […] The post XE Group Activity Detection: From Credit Card Skimming to Exploiting CVE-2024-57968 and CVE-2025-25181 VeraCore Zero-Day Vulnerabilities appeared first on SOC Prime.
Analysis Summary
# Threat Actor: XE Group
## Attribution & Identity
* **Identity:** Sophisticated hacking collective.
* **Attribution:** Believed to be of Vietnamese origin.
* **Aliases/Associations:** Not explicitly detailed beyond the collective name "XE Group."
## Activity Summary
XE Group has shown a shift in focus, moving from specialized activities to exploiting critical zero-day vulnerabilities. Recent campaigns (since early 2025) involve the active exploitation of two VeraCore zero-day vulnerabilities: CVE-2024-57968 and CVE-2025-25181. Historically, the group specialized in credit card data theft, often achieved through supply chain attacks involving injected malicious JavaScript.
## Tactics, Techniques & Procedures
* Exploitation of new zero-days (VeraCore CVE-2024-57968 and CVE-2025-25181).
* Supply chain attacks utilizing injected malicious JavaScript code.
* Deployment of customized ASPXSPY web shells for unauthorized access.
* Obfuscation: Disguising executables as PNG files to establish reverse shells.
* Use of advanced techniques supported by coordinated infrastructure.
## Targeting
* **Sectors:** Not explicitly detailed beyond web application environment targets implied by web shell usage and vulnerability exploitation. Historically focused on credit card data theft.
* **Geography:** Not specified.
* **Victims:** Not specified.
## Tools & Infrastructure
* **Malware Families Used:** Customized ASPXSPY web shells.
* **Infrastructure:** Coordinated infrastructure supporting their operations.
* **URLs/IPs:** None specified in the summary.
## Implications
XE Group is assessed as a highly capable threat actor due to its immediate integration and weaponization of novel zero-day vulnerabilities (VeraCore CVE-2024-57968 and CVE-2025-25181) into active campaigns. Their history of supply chain compromise and use of web shells suggests a goal of persistent, deep access into compromised environments.
## Mitigations
* Prioritize patching and remediation for VeraCore vulnerabilities, specifically CVE-2024-57968 and CVE-2025-25181.
* Implement network monitoring and security controls specifically designed to detect signs of web shell activity (e.g., ASPXSPY variants).
* Enhance supply chain security processes to vet changes in JavaScript code integrated into web applications.
* Monitor for file obfuscation techniques, such as executables masquerading as image files (PNG).