XE Group: From Credit Card Skimming to Exploiting Zero-Days

This report analyzes XE Group — a long-active cybercriminal actor that has shifted from credit-card skimming to targeted information theft — detailing exploitation of two VeraCore vulnerabilities (CVE-2024-57968, CVE-2025-25181), the deployment and evolution of ASPX webshells, post-exploitation activity (including a PowerShell reflective loader and Meterpreter C2), persistence across multiple years, operational TTPs, IOCs (file hashes, IP addresses, YARA rules), and a vendor disclosure timeline.