Threat hunters at managed detection and response firm Huntress say they have tracked a single, highly consistent attack chain across at least half a dozen unrelated organisations in the first half of 2026; one that begins with exploitation of the “CitrixBleed 2” vulnerability in Citrix NetScaler appliances and, in its most advanced form, ends in DragonForce ransomware.
Huntress assesses with high confidence that the activity is the work of an initial access broker (IAB) weaponising CVE-2025-5777 to gain footholds in Citrix environments before selling or handing off access, ultimately for the purpose of ransomware deployment. The firm says the intrusions it investigated were so mechanically similar – same privilege-escalation technique, same rogue account names, even the same attacker-controlled hostnames recurring across victims – that they point to a productised runbook rather than opportunistic, independent attacks.
A pre-auth memory leak that defeats MFA
CVE-2025-5777, dubbed CitrixBleed 2 in reference to 2023’s original CitrixBleed (CVE-2023-4966), is a pre-authentication memory-overread affecting NetScaler ADC and Gateway when configured as a Gateway or AAA virtual server. Malformed POST requests to the login endpoint, sent with an empty login form variable, cause the appliance to serialise roughly 127 bytes of adjacent process memory into its response. Sprayed at volume, this allows an attacker to harvest heap memory fragments, including live session tokens.
Huntress said it was able to fully reconstruct a session hijack in one incident: a legitimate employee authenticated normally via LDAP with MFA from a known-good IP, and 21 minutes later the same session was being driven from the attacker’s IP, with no successful authentication event from that IP anywhere in the logs. Because the session was already fully authenticated, MFA offered no protection; it had already been satisfied by the legitimate user.
The firm ruled out an alternative explanation involving a separate NetScaler session-management flaw (CVE-2026-4368) on the grounds that the affected appliance builds fell outside that CVE’s vulnerable range and that the relevant race condition requires an already-authenticated attacker session, which the logs did not show.
A single privilege-escalation tool across every case
Once inside, the operator consistently used a small, unsigned local privilege-escalation (LPE) tool to reach SYSTEM. The technique abuses the Windows registry’s SymbolicLinkValue (REG_LINK) mechanism, planting a symlink under a device-class key that redirects into the Group Policy state hierarchy. Triggering a policy refresh via gpupdate causes the Group Policy engine, which runs as SYSTEM, to write through the planted link, corrupting a protected configuration. Starting the built-in AppMgmt service then causes the Service Control Manager to relaunch the attacker’s binary with SYSTEM privileges, at which point a backdoor administrator account is created via net user and net localgroup Administrators commands.
Huntress noted the tool snapshots and subsequently restores the original registry state after detonation, a cleanup step designed to remove the artifacts a responder would typically rely on. Analysts also observed operator errors during the process, including a mistyped net user command, indicating a human operating largely automated tradecraft rather than a fully autonomous tool.
Persistence via legitimate RMM tooling
For persistence, the operator most frequently deployed rogue ScreenConnect clients configured to call back to attacker-controlled relay infrastructure, alongside Zoho Assist in several cases and, in one earlier instance, a Netbird and Atera combination, echoing a Netbird detail previously reported by Sophos, which has separately tracked overlapping activity as STAC3725. Huntress said it withheld some Zoho Assist indicators after recovering likely-stolen credentials belonging to unrelated organisations during the investigation.
In the most progressed case, the operator used PsExec, Impacket-based tooling and Mimikatz for lateral movement and credential access before deploying a DragonForce ransomware binary, resulting in encryption that Huntress says was contained to a single host through rapid triage.
Attribution remains ambiguous
Huntress was careful to caveat attribution, noting that overlapping tactics between initial access brokers and ransomware affiliates make firm attribution difficult, and that public and private reporting has linked the cluster to more than one ransomware brand. The firm said it considers the activity most likely to represent a single, highly successful IAB rather than a DragonForce-specific affiliate.
Recommendations
Huntress is urging organisations running NetScaler ADC or Gateway to patch immediately, forward NetScaler logs to a SIEM or long-term retention platform given how quickly on-device logs rotate, terminate outstanding sessions on vulnerable appliances since harvested tokens can survive a patch, and audit for unrecognised local accounts and unexpected ScreenConnect or Zoho Assist installations. A full list of indicators of compromise, including file hashes, account names and C2 infrastructure, accompanies Huntress’ original write-up, which can be found here: https://www.huntress.com/blog/citrixbleed-2-dragonforce-ransomware




