XE Group, likely a Vietnam-linked hacking collective that has been active in the cyber threat arena for over a decade is believed to be behind the exploitation of a couple of VeraCore zero-day vulnerabilities. During the latest campaign, adversaries weaponized VeraCore flaws tracked as CVE-2024-57968 and CVE-2025-25181 to deploy reverse shells and web shells, ensuring stealthy remote access to the targeted instances and displaying the evolution in the group’s offensive operations.
Detect XE Group Attacks
With a surge of critical vulnerabilities under active exploitation identified since early 2025, threat actors are increasingly using new exploits to compromise their targets of interest. Among these adversaries, the XE Group stands out for leveraging VeraCore zero-days (CVE-2024-5798, CVE-2025-25181) in their most recent campaigns.
To spot possible intrusions at the earliest stages, SOC Prime Platform for collective cyber defense provides a set of Sigma rules addressing XE Group’s latest attacks backed by a complete product suite for advanced threat detection and hunting. Just hit the Explore Detections button below and immediately drill down to a dedicated content stack.
The rules are compatible with multiple SIEM, EDR, and Data Lake solutions while being mapped to the MITRE ATT&CK framework to streamline threat investigation. Additionally, each rule is accompanied by broad metadata, including CTI references, attack timelines, triage recommendations, and audit configurations.
Also, security experts can seamlessly hunt for IOCs provided in Intezer’s analysis of XE Group activity. Rely on SOC Prime’s Uncoder AI to create custom IOC-based queries in a matter of seconds and automatically work with them in your chosen SIEM or EDR environment. Previously available only to corporate clients, Uncoder AI is now accessible to individual researchers, offering its full capabilities. Check out the details here.
XE Group Activity Analysis
Inquiry by Intezer and Solis Security gains insights into the latest activity of XE Group, a sophisticated hacking collective believed to be of Vietnamese origin, notorious for targeting web shells and malware distribution. XE Group employs advanced techniques supported by a coordinated infrastructure. Adversaries initially specialized in credit card data theft, mainly using supply chain attacks with injected malicious JavaScript, customized ASPXSPY web shells for unauthorized access, and disguising executables as PNG files to generate reverse shells.
In the early spring of 2023, CISA released an advisory regarding the exploitation of Progress Telerik vulnerabilities in various U.S. state-owned IIS servers. The alert noted that several actors, including XE Group, carried out reconnaissance and scanning activities to weaponize CVE-2019-18935 in the agency’s IIS server running Telerik UI for ASP.NET AJAX.
In 2024, threat actors shifted their focus to supply chain attacks, exploiting emerging CVEs with advanced methods. XE Group recently weaponized two zero-days in VeraCore, CVE-2024-57968 and CVE-2025-25181, enabling them to deploy web shells for persistent unauthorized access.
CVE-2024-57968, a critical upload validation flaw with a CVSS score of 9.9, affects VeraCore versions prior to 2024.4.2.1 by allowing adversaries to upload files to unintended directories, potentially exposing them to other users’ access via web browsing. CVE-2025-25181 (with a CVSS score of 5.8) is an SQL injection issue in timeoutWarning.asp of Advantive VeraCore versions up to 2025.1.0, which allows remote hackers to run arbitrary SQL commands via the PmSess1 parameter.
The most recent XE Group malicious tactics extend beyond short-term campaigns. For example, threat actors breached an organization in 2020 and maintained persistence for years, later reusing an earlier-installed web shell in 2024. This highlights their methodical and covert attack strategy.
XE Group’s shift to zero-day exploits highlights the growing sophistication and adaptability of adversary techniques, demanding swift and proactive defense strategies. By relying on SOC Prime Platform for collective cyber defense, organizations can stay ahead of constantly evolving adversaries, increasing threats, and ever-expanding attack surfaces, while enabling a robust cybersecurity posture.
The post XE Group Activity Detection: From Credit Card Skimming to Exploiting CVE-2024-57968 and CVE-2025-25181 VeraCore Zero-Day Vulnerabilities appeared first on SOC Prime.
