From credit card fraud to zero-day exploits: Xe Group expanding cybercriminal efforts | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/xegroup-zero-day-exploit-intezer-labs-solis-security-vietnam\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"From credit card fraud to zero-day exploits: Xe Group expanding cybercriminal efforts\"> <meta property=\"og:description\" content=\"The Vietnam-based group has grown more sophisticated since 2013, new research shows.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/xegroup-zero-day-exploit-intezer-labs-solis-security-vietnam\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-02-03T13:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2025-02-03T13:11:16+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/from-credit-card-fraud-to-zero-day-exploits-xe-group-expanding-cybercriminal-efforts-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736472017g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1738186663g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=811a4fffdf449a472805\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83372\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83372\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fxegroup-zero-day-exploit-intezer-labs-solis-security-vietnam%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fxegroup-zero-day-exploit-intezer-labs-solis-security-vietnam%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83372 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/xegroup-zero-day-exploit-intezer-labs-solis-security-vietnam\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.395833333333\">\n<div class=\"single-article__header-content\" readability=\"34.408839779006\">\n<p> The Vietnam-based group has grown more sophisticated since 2013, new research shows. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83372\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/from-credit-card-fraud-to-zero-day-exploits-xe-group-expanding-cybercriminal-efforts.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/from-credit-card-fraud-to-zero-day-exploits-xe-group-expanding-cybercriminal-efforts-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/from-credit-card-fraud-to-zero-day-exploits-xe-group-expanding-cybercriminal-efforts-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/from-credit-card-fraud-to-zero-day-exploits-xe-group-expanding-cybercriminal-efforts-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/from-credit-card-fraud-to-zero-day-exploits-xe-group-expanding-cybercriminal-efforts-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/from-credit-card-fraud-to-zero-day-exploits-xe-group-expanding-cybercriminal-efforts-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/from-credit-card-fraud-to-zero-day-exploits-xe-group-expanding-cybercriminal-efforts-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/from-credit-card-fraud-to-zero-day-exploits-xe-group-expanding-cybercriminal-efforts-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/from-credit-card-fraud-to-zero-day-exploits-xe-group-expanding-cybercriminal-efforts-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/from-credit-card-fraud-to-zero-day-exploits-xe-group-expanding-cybercriminal-efforts-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/from-credit-card-fraud-to-zero-day-exploits-xe-group-expanding-cybercriminal-efforts-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (alexsl\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"29.767720306513\"><body readability=\"59.944183476098\"><\/p>\n<p>A cybercriminal organization that has been operating for over a decade has moved from credit-card skimming to exploiting zero-day vulnerabilities, according to a joint investigation by cybersecurity firms Solis Security and Intezer. The group, tracked as XE Group, now poses heightened risks to global supply chains, particularly in manufacturing and distribution sectors, by leveraging stealthier tactics and long-term system access.<\/p>\n<p>Initially identified in 2013 for targeting e-commerce platforms with credit-card skimmers, XE Group has steadily refined its methods. Early campaigns exploited known vulnerabilities in widely used tools like <a href=\"https:\/\/www.telerik.com\/\">Telerik UI for ASP.NET<\/a>, deploying webshells \u2014 malicious scripts that grant remote server access \u2014 to steal payment data. By 2024, the group shifted focus to targeted information theft, exploiting two zero-day vulnerabilities in <a href=\"https:\/\/www.advantive.com\/brands\/veracore\/\">VeraCore<\/a>, a supply chain management software used by fulfillment companies and retailers.<\/p>\n<p>The vulnerabilities \u2014 an upload validation flaw and a SQL injection flaw \u2014 allowed XE Group to infiltrate systems, exfiltrate configuration files, and maintain access for years. Notably, the group reactivated a webshell in 2024 that had been planted in a 2020 breach, demonstrating a sophisticated level of patience and operational discipline. <\/p>\n<p>CVEs for the flaw have not been made publicly available, but an Intezer representative tells CyberScoop they will be released shortly after final validation from MITRE. VeraCore\u2019s parent company, Adavantive <a href=\"https:\/\/advantive.my.site.com\/support\/s\/article\/VeraCore-Release-Notes-2024-4-2-1\">issued a temporary fix<\/a> for the upload validation flaw in November. Intezer told CyberScoop the SQL flaw remains unpatched.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Emails to Advantive were not returned. <\/p>\n<p>Researchers found the group\u2019s infrastructure includes domains for command-and-control and hosting skimming tools, which it has used over the years to automate tactics:<\/p>\n<ul class=\"wp-block-list\">\n<li>In 2020, the group extracted database credentials via obfuscated Transact-SQL queries, later using them to upload malicious files.<\/li>\n<li>The group has used customized variants of open-source webshells like <a href=\"https:\/\/attack.mitre.org\/software\/S0073\/\">ASPXSpy<\/a>, with features for file manipulation, network scanning, and SQL database reconnaissance. By 2024, these tools included automated data exfiltration and PowerShell-based payload delivery.<\/li>\n<li>Recent campaigns used native Microsoft Windows utilities like arp and <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/administration\/windows-commands\/netstat\">netstat<\/a> for network mapping, while PowerShell scripts loaded <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2023-08\/MAR-10430311.c1.v1.pdf\">Meterpreter malware<\/a> \u2014 a tool linked to advanced persistent threats \u2014 to establish covert communication channels.<\/li>\n<\/ul>\n<p>One of the most noteworthy findings was XE Group\u2019s ability to maintain access to a compromised system for over four years. In November 2024, the group reused credentials stolen in 2020 to reactivate a webshell, suggesting they prioritize persistence over immediate monetization. This approach allows them to quietly gather intelligence or stage larger attacks.<\/p>\n<p>\u201cThese recent discoveries highlight that XE Group is not only active but evolving,\u201d the blog reads. \u201cThe group\u2019s ability to exploit unknown vulnerabilities and sustain prolonged access to targeted systems reflects a significant shift in their operational strategy.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p><a href=\"https:\/\/www.volexity.com\/blog\/2021\/12\/07\/xe-group-exposed-8-years-of-hacking-card-skimming-for-profit\/\">Previous research<\/a> on XE Group points to it likely being <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2020\/07\/credit-card-skimmer-targets-asp-net-sites\">located in Vietnam<\/a>. While definitive attribution remains challenging, historical markers \u2014 including Vietnamese-linked email addresses and pseudonyms like \u201cXeThanh\u201d \u2014 suggest a well-resourced operation, yet minimal efforts to obscure its identity. The lack of obscurity means the XE Group is unlikely to be state-aligned, since those groups typically employ stricter operational security.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"4.1276978417266\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/from-credit-card-fraud-to-zero-day-exploits-xe-group-expanding-cybercriminal-efforts-1.jpg?w=640&ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/xegroup-zero-day-exploit-intezer-labs-solis-security-vietnam\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>From credit card fraud to zero-day exploits: Xe Group expanding<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,78,3654,256,3655,288,3656,3657,1170],"tags":[286,86,3658,262,3659,294,3660,3661,1171],"class_list":["post-7170","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-cybersecurity","category-intezer","category-research","category-solis-security","category-threats","category-veracore","category-xe-group","category-zero-days","tag-cybercrime","tag-cybersecurity","tag-intezer","tag-research","tag-solis-security","tag-threats","tag-veracore","tag-xe-group","tag-zero-days"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/intezer\/\" rel=\"category tag\">intezer<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/solis-security\/\" rel=\"category tag\">Solis Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/veracore\/\" rel=\"category tag\">VeraCore<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/xe-group\/\" rel=\"category tag\">XE Group<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/zero-days\/\" rel=\"category tag\">zero-days<\/a>","tag_info":"zero-days","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7170","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7170"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7170\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7170"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7170"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7170,"date":"2025-02-03T07:00:00","date_gmt":"2025-02-03T13:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83372"},"modified":"2025-02-03T07:00:00","modified_gmt":"2025-02-03T13:00:00","slug":"from-credit-card-fraud-to-zero-day-exploits-xe-group-expanding-cybercriminal-efforts","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/02\/03\/from-credit-card-fraud-to-zero-day-exploits-xe-group-expanding-cybercriminal-efforts\/","title":{"rendered":"From credit card fraud to zero-day exploits: Xe Group expanding cybercriminal efforts"},"content":{"rendered":"