Sophistication or missed opportunity? Analysing XE Group's long-term exploitation of zero-days with limited impact

No ratings

Presented at VB2025 Berlin by

Nicole Fishbein

Justin Lentz

The discovery of a threat actor leveraging multiple zero-day vulnerabilities to infiltrate a target over a four-year period typically signals a highly sophisticated and well-resourced adversary. However, what happens when there is no financial gain, no data exfiltration, and seemingly minimal impact on the victim organization? Was this a case of a failed operation, an intelligence-driven foothold, or something else entirely? This talk will dive into the operational tradecraft of a threat actor who successfully exploited zero-day vulnerabilities to maintain long-term persistence but left behind little evidence of monetization or destruction. We will explore the technical execution of the zero-day exploitation and persistence mechanism, the possible motivations behind the prolonged yet low-impact operation, indicators of whether this was an espionage campaign, a failed attempt at lateral movement, or a staging ground for future activity, and the missed opportunity – did the attacker miscalculate, or was their objective never financial in nature?