A cybercriminal group with a long history of credit card skimming has evolved into a more sophisticated threat, targeting supply chain organizations in manufacturing and distribution. The XE Group, a Vietnamese-linked threat actor, has recently exploited two zero-day vulnerabilities in VeraCore’s warehouse management software, marking a shift in its attack methods.
From Credit Card Skimming to Supply Chain Attacks
For years, XE Group operated in the shadows, primarily skimming credit card data from e-commerce sites. But its latest move shows an evolution in strategy. Researchers from Intezer and Solis say the group is now exploiting critical software vulnerabilities, allowing them to gain deeper access into supply chain networks.
“XE Group’s evolution from credit card skimming operations to exploiting zero-day vulnerabilities underscores their adaptability and growing sophistication,” the researchers noted in a recent report.
Originally surfacing in 2013, XE Group was known for leveraging web vulnerabilities to inject malicious scripts into online payment systems. Over the past decade, security firms including Malwarebytes, Volexity, and Menlo Security have tracked the group’s activities. By 2023, it had expanded into setting up fake phishing sites, stealing personal data, and selling it in underground markets.
This latest shift toward software supply chain attacks raises new concerns. Instead of targeting individual victims, XE Group now infiltrates widely used platforms, compromising entire distribution networks.
Zero-Day Exploits in VeraCore
The group’s recent attacks focus on two newly discovered vulnerabilities in VeraCore:
- CVE-2024-57968: A severe upload validation flaw (CVSS score of 9.9) that allows attackers to upload and execute malicious files.
- CVE-2025-25181: A SQL injection vulnerability (CVSS score of 5.8) that can be used to manipulate databases and extract sensitive information.
By exploiting these vulnerabilities, XE Group has managed to install custom ASPX Web shells—small backdoor programs that give them continuous remote access. In one case, researchers found evidence that the group had been inside a compromised system since January 2020, reactivating a Web shell four years later.
Such persistence signals a methodical, long-term approach. Unlike ransomware groups that quickly demand payments, XE Group appears to favor prolonged, undetected access.
XE Group’s Expanding Toolkit
This latest campaign reflects XE Group’s growing expertise. Instead of relying on just one attack method, they now use a mix of strategies:
- JavaScript Injection: Malicious scripts embedded in webpages to steal user data.
- Exploitation of Web Vulnerabilities: Attacking widely used software products to gain a foothold in supply chains.
- Custom Web Shells: Allowing long-term remote access to compromised systems.
According to a report from Menlo Security, XE Group was already experimenting with supply chain attacks in 2023. But the recent VeraCore exploits indicate a deeper shift—targeting business infrastructure instead of just consumer data.
The Bigger Picture: Supply Chain Cybersecurity at Risk
XE Group’s activities fit a broader pattern of cybercriminals exploiting software supply chains. Some of the most high-profile breaches in recent years follow a similar approach:
| Attack Target | Method Used | Impact |
|---|---|---|
| SolarWinds (2020) | Compromised software update | Affected 18,000 organizations, including US government agencies |
| Progress MOVEit (2023) | Exploited file transfer vulnerability | Exposed sensitive data from multiple businesses |
| Okta (2023) | Breached customer support system | Affected all Okta customers |
| Accellion (2021) | File-sharing vulnerability | Led to ransomware attacks on corporate clients |
XE Group is now playing in the same league. By focusing on software used in manufacturing and distribution, they maximize their impact, potentially affecting thousands of businesses that rely on VeraCore’s platform.
What’s Next for XE Group?
Given their track record, XE Group is unlikely to stop here. Their ability to remain undetected for years suggests they will continue refining their tactics. Security researchers warn that similar groups may follow suit, exploiting vulnerabilities in widely used business software.
For organizations in manufacturing and distribution, this is a wake-up call. Software vulnerabilities aren’t just an IT issue—they are now a major business risk.
