... ...
A 2020 Malwarebytes report first outlined the group's activities, but a more in-depth analysis of recent compromises attributed to it was published by Volexity yesterday.
More details emerge
Volexity was able to map the infrastructure used by the XE Group in the last three years and shared all the technical details and IOCs on GitHub.
The researchers could find many infected sites carrying the same skimmer thanks to a common technique in loading malicious JavaScript snippets.
"The code used to load the malicious JavaScript from this page reveals that the attacker uses an interesting technique: the JavaScript keyword "object" is used to populate the domain value," the researchers shared in the Volexity report.