XE Group’s Evolving Cyber Threat: From Credit Card Skimming to Advanced Supply Chain Attacks

By /

Listen to this Post

2025-02-16

A New Era of Cybercrime

A recent investigation by cybersecurity firms Intezer and Solis Security has uncovered the latest operations of XE Group, a cybercriminal organization active since at least 2013. Originally focused on credit card skimming, the group has evolved to target supply chains in the manufacturing and distribution sectors. Their attacks now involve exploiting zero-day vulnerabilities, leveraging sophisticated tactics, and maintaining persistent access to compromised systems.

This shift highlights XE Group’s increasing expertise in advanced cyber threats, making them a significant risk to industries reliant on digital supply chains. Their recent use of unpatched vulnerabilities, custom web shells, and obfuscated malware suggests a calculated approach to long-term infiltration and data exfiltration.

XE

  1. Transition from Credit Card Skimming to Information Theft – XE Group has moved beyond simple financial fraud to more complex cyberattacks on supply chains.
  2. Exploitation of Zero-Day Vulnerabilities – They have used critical security flaws, including CVE-2024-57968 (CVSS 9.9) and CVE-2025-25181 (CVSS 5.8), to infiltrate systems.
  3. Attack on Advantive VeraCore – A major warehouse management system was targeted via web shells and reverse shells, enabling persistent access.
  4. Use of Web Shells and Obfuscated Malware – Malicious ASPXSPY web shells and disguised executable files (posing as PNG images) were deployed.
  5. Telerik UI Exploitation – Older vulnerabilities like CVE-2017-9248 and CVE-2019-18935 were re-used for persistent access.
  6. Detection and Mitigation – A November 5, 2024, attack was detected by an Endpoint Detection and Response (EDR) system, preventing full compromise.
  7. Long-Term Persistence – XE Group has demonstrated the ability to reactivate web shells years after their initial deployment.
  8. Systemic Understanding of Supply Chain Weaknesses – Their methodical approach suggests a deep knowledge of industry vulnerabilities, making mitigation more challenging.

What Undercode Say: Analyzing XE Group’s Strategy and Implications

XE Group’s recent evolution into sophisticated supply chain attacks presents a major cybersecurity challenge. Let’s break down their tactics, impact, and what this means for cybersecurity defense strategies.

  1. The Shift from Financial Fraud to Supply Chain Attacks
    Originally known for credit card skimming, XE Group has redefined its focus, demonstrating a strategic shift. This mirrors trends seen in other advanced cybercriminal groups, where financial gain is pursued through long-term infiltration rather than quick hits. Supply chain attacks offer access to multiple targets through a single point of compromise, increasing the damage exponentially.

2. Exploiting Zero-Day Vulnerabilities: A Growing Trend

By leveraging CVE-2024-57968 and CVE-2025-25181, XE Group capitalized on newly discovered security flaws before patches could be developed. The high severity of these vulnerabilities indicates that companies using Advantive VeraCore are particularly at risk. The use of unpatched vulnerabilities also suggests that XE Group either conducts in-depth research on potential flaws or purchases exploits from underground sources.

  1. The Use of Web Shells for Persistent Access
    One of the most concerning aspects of XE Group’s operations is their reliance on web shells. These malicious scripts provide a backdoor into compromised systems, allowing attackers to maintain control over an extended period. The ability to reactivate a web shell years after its initial deployment suggests that XE Group carefully selects long-term targets, prioritizing stealth over immediate financial gain.

4. The Role of Obfuscation in Evasion Tactics

XE Group employs obfuscation techniques, such as embedding malicious code within seemingly harmless PNG files. This method bypasses traditional security measures, making detection more difficult. As modern cybersecurity tools become more advanced, attackers are increasingly relying on file-based obfuscation to evade scrutiny.

5. Targeting Industrial and Manufacturing Sectors

The choice to focus on the manufacturing and distribution sectors is strategic. These industries rely on complex supply chains, often involving multiple third-party vendors with varying security postures. By targeting a single weak link, XE Group can compromise an entire network, exfiltrating valuable intellectual property, credentials, and financial data.

  1. The Risk of Reused Vulnerabilities in Telerik UI
    The group’s continued exploitation of older vulnerabilities (CVE-2017-9248 and CVE-2019-18935) in Telerik UI software suggests that many organizations have not implemented proper patch management strategies. This highlights a critical flaw in enterprise security: failure to address known vulnerabilities remains one of the most exploited weaknesses in cybersecurity.

  2. The Role of Endpoint Detection and Response (EDR) Systems
    One positive takeaway from this investigation is that XE Group’s latest attack was mitigated by an EDR system. This demonstrates the effectiveness of real-time monitoring and threat intelligence in combating advanced threats. However, detection alone is not enough—organizations must ensure they have rapid response capabilities to neutralize threats before significant damage occurs.

8. The Importance of Proactive Cybersecurity Strategies

XE Group’s attacks underscore the need for a proactive security approach, including:
– Regular penetration testing to identify vulnerabilities before attackers do.
– Implementation of zero-trust security models to limit access within networks.
– Strong patch management protocols to prevent exploitation of known vulnerabilities.
– Advanced threat intelligence monitoring to detect indicators of compromise (IoCs).

9. The Future of Supply Chain Cyber Threats

If XE Group’s tactics prove successful, other cybercriminal groups will likely adopt similar methods.

References:

Reported By: https://securityaffairs.com/174045/cyber-crime/xe-group-exploiting-zero-days.html
https://www.reddit.com/r/AskReddit
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Explore More: