Over the past decade, there has been a rise in the number of cyber threats targeting the country, including the XE Group, a hacker collective with Vietnamese connections. According to recent investigations, the group was responsible for exploiting two zero-day vulnerabilities in VeraCore's warehouse management platform, CVE-2025-25181 and CVE-2025-57968 known to be zero-day vulnerabilities. 

A suite of reverse shells and web shells that exploit these vulnerabilities were deployed by the adversaries, allowing them to gain remote access to targeted systems in covert ways. This development is an indication of the group's sophisticated cyber-attack techniques. Identified as CVE-2024-57968, the vulnerability is a critical upload validation vulnerability with a CVSS score of 9.9, affecting versions before 2024.4.2.1, and can allow adversaries to upload files into non-intended directories, which could result in unauthorized access to the files. 

Adventure VeraCore up to version 2025.1.0 is vulnerable to SQL injection flaw CVE-2025-25181, which could be exploited remotely to execute arbitrary SQL commands through the remote execution of SQL commands. In addition to the XE Group's past association with credit card fraud, their focus has now switched to targeted data theft, particularly within manufacturing and distribution organizations. 

Several recent attacks have been perpetrated by threat actors who exploited VeraCore security issues to install Web Shells, which allowed them to execute various malicious activities and remain persistent within compromised environments while they executed their malicious activities. The group's continued sophistication and adaptability in the cyber threat landscape is reflected in this recent report, which details a compromise of a Microsoft Internet Information Services (IIS) server where VeraCore's warehouse management system software is hosted, and it indicates the company's growing sophistication. 

Upon further analysis of this incident, it was discovered that the initial breach occurred in January 2020 as a result of a zero-day vulnerability in SQL injection. It is speculated that As a result of this exploitation, The XE Group deployed customized web shells, which researchers have described as very versatile tools that are designed to maintain persistent access inside victim environments as well as run SQL queries regarding those environments.

As an example, in the case of the compromised IIS server, the attackers reactivated a web shell that was planted four years earlier, showing that they have retained a foothold in the infrastructure targeted by them for many years. Security vendors have been warning that the XE Group is actively targeting supply chains in the manufacturing and distribution sectors. Though the group has historically been associated with extensive credit card skimming operations, it has recently gained a reputation for exploiting zero-day vulnerabilities to do more damage. 

According to researchers, the group's continued ability to adapt and increase sophistication underscores the group's ability to remain agile and sophisticated over the years. The reactivation of an older web shell indicates the group's strategic focus on achieving long-term operational objectives by maintaining long-term access to compromised systems. 

To enhance the threat investigation process, the rules have been designed to be compatible with several SIEM (Security Information and Event Management) systems, Endpoint Detection and Response systems (EDR), and Data Lake solutions aligned with the MITRE ATT&CK framework. There is a variety of metadata that is accessible in each rule, including references to cyber threat intelligence, attack timelines, triage recommendations, and audit configurations, guaranteeing that security analysis has a structured approach. 

Additionally, SOC Prime's Uncoder AI (Artificial Intelligence) capabilities enable the quick development of custom IOC-based queries that will be seamlessly integrated with SIEM and EDR platforms, thus eliminating the need for security professionals to manually search for indicators of compromise (IOCs). Intezer's analysis of XE Group activity and SOC Prime's Uncoder AI were used to achieve this.

As an alternative to the corporate-only service offered previously by Uncoder AI, customers can now benefit from Uncoder AI's full suite of capabilities, which enhances accessibility for independent risk analysis performed by individual researchers. As a consequence of the XE Group's adoption of zero-day exploits as part of their attack strategy, it became increasingly clear that adversarial techniques are becoming more sophisticated and adaptable, making it necessary to enter into proactive defence measures as soon as possible.

SOC Prime Platform is a scalable tool designed to assist organizations in enhancing their security posture, countering evolving threats effectively, and mitigating risks associated with adding more attack surfaces in an increasingly complex cyber landscape by utilizing the tools provided by the platform. The XE Group has exploited two zero-day VeraCore vulnerabilities, CVE-2025-25181 and CVE-2025-50308, in recent attacks in an attempt to deploy one or more web shells on compromised systems. 

These two vulnerabilities are critical upload validation flaws (CVSS 9.9) and SQL injection flaws (CVSS 5.7), respectively. In a report published jointly by Solis and Intezer, the researchers reported that the group exploited one of these vulnerabilities as early as January 2020 and maintained persistent access to the victim's environment for several years afterwards. There was an attempt in 2024 by some threat actors to reactivate a previously deployed web shell, demonstrating their ability to avoid detection while maintaining long-term access to compromised systems as they remain undetected. 

XE Group's evolving tactics come as part of a broader trend that threats are exploring the software supply chain as a way to achieve their goals. Some notable precedents include the SolarWinds attack, breaches into Progress Software's MOVEit file transfer product, an Okta intrusion that affected all customers, and an Accellion breach that enabled ransomware to be deployed on an organization's network.