Full Report
Threat actors have been observed exploiting multiple security flaws in various software products, including Progress Telerik UI for ASP.NET AJAX and Advantive VeraCore, to drop reverse shells and web shells, and maintain persistent remote access to compromised systems. The zero-day exploitation of security flaws in VeraCore has been attributed to a threat actor known as XE Group, a cybercrime
Analysis Summary
# Threat Actor: XE Group
## Attribution & Identity
* **Identification:** XE Group, categorized as a cybercrime group.
* **Origin:** Likely of Vietnamese origin.
* **Activity Span:** Active since at least 2010.
* **Evolution:** Transitioned operations from credit card skimming to targeted information theft.
## Activity Summary
XE Group has been observed exploiting security vulnerabilities in software, including zero-day flaws in Advantive VeraCore and known flaws in Progress Telerik UI for ASP.NET AJAX, to establish remote access. Their recent activities indicate a shift toward targeting supply chains within the manufacturing and distribution sectors. Exploitation of VeraCore vulnerabilities was discovered in November 2024, with evidence showing the chaining of vulnerabilities as far back as early 2020 (CVE-2025-25181). The group is noted for maintaining persistent access to compromised systems, including reactivating web shells years after initial deployment.
## Tactics, Techniques & Procedures
- Exploitation of zero-day vulnerabilities (VeraCore).
- Exploitation of known vulnerabilities (Progress Telerik UI for ASP.NET AJAX: CVE-2017-9248, CVE-2019-18935).
- Deployment of reverse shells and web shells for remote access.
- File system enumeration and file exfiltration capabilities within web shells.
- File compression using tools like 7z.
- Dropping Meterpreter payloads.
- Establishing command and control via Windows sockets.
- Network scanning and execution of SQL queries for data extraction/modification.
- Use of `cmd.exe` for reconnaissance commands following exploitation.
- MITRE ATT&CK References (Implied/Explicit):
- Web Shells (e.g., ASPXSpy $\rightarrow$ S0073)
## Targeting
* **Sectors:** Manufacturing and Distribution (supply chains).
* **Geography:** Not explicitly stated, but the group is attributed to Vietnamese origin.
* **Victims:** Organizations within the manufacturing and distribution supply chain.
## Tools & Infrastructure
* **Malware Families Used:**
* ASPXSpy web shells (updated variants mentioned).
* Meterpreter payload.
* **Infrastructure:**
* Actor-controlled C2 server: `222.253.102[.]94:7979`
## Implications
XE Group displays increasing sophistication, evidenced by the first attribution of zero-day exploitation in their activity, marking a significant escalation from previous reliance on known vulnerabilities. Their focus on supply chains suggests an intent to maximize systemic impact. Their ability to maintain long-term, persistent access indicates a focus on sustained espionage or data theft rather than mere opportunistic intrusion.
## Mitigations
- Prioritize patching for vulnerable software, especially those exposed to the internet, noting that older vulnerabilities (like CVE-2019-18935 in Telerik UI) remain actively exploited.
- Implement robust network monitoring to detect unusual connections to external servers, particularly on non-standard ports (e.g., port 7979).
- Investigate and remediate suspicious file uploads or unexpected executable/script activity within web application directories.
- Harden systems against common web shell deployment methods targeting vulnerabilities in common enterprise software (e.g., Progress Telerik).