XE Group

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to intrusion sets

· Published 21/12/2025 10:29 · Modified 21/12/2025 10:29 · Source: AlienVault

Essential information

Confidence: 100/100
Published: 21/12/2025 10:29
Modified: 21/12/2025 10:29
Updated at: 21/12/2025 10:29
Revoked: No
Author / Source: AlienVault
Resource level: —
Primary motivation: —
Related entities: 1 reports, 17 attack patterns (mitre), 3 malware, 2 sectors, 14 indicators, 4 vulnerabilities (cve)

Description

No description.

Marking (TLP)

TLP:CLEAR

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (1)

From Credit Card Skimming to Exploiting Zero-Days

4 CVEs 17 MITREs 3 Malwares 17 Observables 1 APT

Attack patterns (MITRE) (17)

T1547 uses

Boot or Logon Autostart Execution MITRE
T1218 uses

System Binary Proxy Execution MITRE
T1048 uses

Exfiltration Over Alternative Protocol MITRE
T1078 uses

Valid Accounts MITRE
T1573 uses

Encrypted Channel MITRE
T1046 uses

Network Service Discovery MITRE
T1135 uses

Network Share Discovery MITRE
T1505.003 uses

Web Shell MITRE
T1082 uses

System Information Discovery MITRE
T1190 uses

Exploit Public-Facing Application MITRE
T1574 uses

Hijack Execution Flow MITRE
T1090 uses

Proxy MITRE

← Previous

Page / 2

1–12 of 17

Meterpreter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ASPXSpy - S0073 uses

Family
ASPXSpy uses

Family

Sectors (2)

Manufacturing targets
Retail targets

Indicators (14)

object.fm indicates
ba2109b5a3ccebbc494ee93880b55640539c7d25b85bc12189f0c671ce473771 indicates
013ccea1d7fc2aa2d660e900f87a3192f5cb73768710ef2eb9016f81df8e5c70 indicates
xegroups.com indicates
https://hivnd.com/software/7z.exe indicates
322f8cd560d5e10e93af3ea6d3505c8de213f549e6627c3ef4664ed92ba55f56 indicates
38b2d52dc471587fb65ef99c64cb3f69470ddfdaa184a256aecb26edeff3553a indicates
hivnd.com indicates
xework.com indicates
680b7e8ec8204975c5026bcbaf70f7e9620eacdd7bf72e5476d17266b4a7d316 indicates
c564acd69efa62a5037931090bf70a6506419fdf59ec52f8d1ab0b15d861cc67 indicates
884c394c7b3eb757ae57050ac2e6a75385a361555e8e4272de1a3cf24746eec7 indicates

← Previous

Page / 2

1–12 of 14

Vulnerabilities (CVE) (4)

CVE-2017-9248 KEV targets

9.8 Critical

Progress Telerik UI for ASP.NET AJAX and Sitefinity have a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to disclose encryption keys …

Attack vector: NETWORK
Complexity: LOW
Published: 03/07/2017
Modified: 22/04/2026

CWE-522

CVE-2024-57968 KEV targets

9.9 Critical

Advantive VeraCore before 2024.4.2.1 allows remote authenticated users to upload files to unintended folders (e.g., ones that are accessible during web browsing …

Attack vector: Network
Published: 10/03/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2019-18935 KEV targets

Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2025-25181 KEV targets

5.8 Medium

A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0 allows remote attackers to execute arbitrary SQL commands via the PmSess1 …

Attack vector: Network
Published: 10/03/2025
Modified: 21/12/2025