In 2020 and 2021, Volexity identified multiple compromises related to a relatively unknown criminal threat actor that refers to itself as “XE Group”. Volexity believes that XE Group is likely a Vietnamese-origin criminal threat actor whose intrusions follow an approximate pattern: Compromise of externally facing services via known exploits (e.g., Telerik UI vulnerabilities) Monetization of these compromises through installation of password theft or credit card skimming code for web services related to these servers There has been previously reported XE Group activity in a blog by Malwarebytes from 2020; this post serves to provide additional  insight into XE Group and an update on its current operations. Analysis Volexity first encountered XE Group activity in early 2020 following a web server compromise at a customer site. The breach of the web server was automated, and it was remediated quickly after discovery, with no notable actions taken by the attacker. That one […]