International Cyber Expo International Cyber Expo
  • About Us
Thursday, 9 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

CitrixBleed 2 exploited in repeatable attack chain culminating in DragonForce ransomware, researchers find

by Guru Writer
July 9, 2026
in Featured
hand typing on keyboard
Share on FacebookShare on Twitter

Threat hunters at managed detection and response firm Huntress say they have tracked a single, highly consistent attack chain across at least half a dozen unrelated organisations in the first half of 2026; one that begins with exploitation of the “CitrixBleed 2” vulnerability in Citrix NetScaler appliances and, in its most advanced form, ends in DragonForce ransomware.

Huntress assesses with high confidence that the activity is the work of an initial access broker (IAB) weaponising CVE-2025-5777 to gain footholds in Citrix environments before selling or handing off access, ultimately for the purpose of ransomware deployment. The firm says the intrusions it investigated were so mechanically similar – same privilege-escalation technique, same rogue account names, even the same attacker-controlled hostnames recurring across victims – that they point to a productised runbook rather than opportunistic, independent attacks.

A pre-auth memory leak that defeats MFA

CVE-2025-5777, dubbed CitrixBleed 2 in reference to 2023’s original CitrixBleed (CVE-2023-4966), is a pre-authentication memory-overread affecting NetScaler ADC and Gateway when configured as a Gateway or AAA virtual server. Malformed POST requests to the login endpoint, sent with an empty login form variable, cause the appliance to serialise roughly 127 bytes of adjacent process memory into its response. Sprayed at volume, this allows an attacker to harvest heap memory fragments, including live session tokens.

Huntress said it was able to fully reconstruct a session hijack in one incident: a legitimate employee authenticated normally via LDAP with MFA from a known-good IP, and 21 minutes later the same session was being driven from the attacker’s IP, with no successful authentication event from that IP anywhere in the logs. Because the session was already fully authenticated, MFA offered no protection; it had already been satisfied by the legitimate user.

The firm ruled out an alternative explanation involving a separate NetScaler session-management flaw (CVE-2026-4368) on the grounds that the affected appliance builds fell outside that CVE’s vulnerable range and that the relevant race condition requires an already-authenticated attacker session, which the logs did not show.

A single privilege-escalation tool across every case

Once inside, the operator consistently used a small, unsigned local privilege-escalation (LPE) tool to reach SYSTEM. The technique abuses the Windows registry’s SymbolicLinkValue (REG_LINK) mechanism, planting a symlink under a device-class key that redirects into the Group Policy state hierarchy. Triggering a policy refresh via gpupdate causes the Group Policy engine, which runs as SYSTEM, to write through the planted link, corrupting a protected configuration. Starting the built-in AppMgmt service then causes the Service Control Manager to relaunch the attacker’s binary with SYSTEM privileges, at which point a backdoor administrator account is created via net user and net localgroup Administrators commands.

Huntress noted the tool snapshots and subsequently restores the original registry state after detonation, a cleanup step designed to remove the artifacts a responder would typically rely on. Analysts also observed operator errors during the process, including a mistyped net user command, indicating a human operating largely automated tradecraft rather than a fully autonomous tool.

Persistence via legitimate RMM tooling

For persistence, the operator most frequently deployed rogue ScreenConnect clients configured to call back to attacker-controlled relay infrastructure, alongside Zoho Assist in several cases and, in one earlier instance, a Netbird and Atera combination, echoing a Netbird detail previously reported by Sophos, which has separately tracked overlapping activity as STAC3725. Huntress said it withheld some Zoho Assist indicators after recovering likely-stolen credentials belonging to unrelated organisations during the investigation.

In the most progressed case, the operator used PsExec, Impacket-based tooling and Mimikatz for lateral movement and credential access before deploying a DragonForce ransomware binary, resulting in encryption that Huntress says was contained to a single host through rapid triage.

Attribution remains ambiguous

Huntress was careful to caveat attribution, noting that overlapping tactics between initial access brokers and ransomware affiliates make firm attribution difficult, and that public and private reporting has linked the cluster to more than one ransomware brand. The firm said it considers the activity most likely to represent a single, highly successful IAB rather than a DragonForce-specific affiliate.

Recommendations

Huntress is urging organisations running NetScaler ADC or Gateway to patch immediately, forward NetScaler logs to a SIEM or long-term retention platform given how quickly on-device logs rotate, terminate outstanding sessions on vulnerable appliances since harvested tokens can survive a patch, and audit for unrecognised local accounts and unexpected ScreenConnect or Zoho Assist installations. A full list of indicators of compromise, including file hashes, account names and C2 infrastructure, accompanies Huntress’ original write-up, which can be found here: https://www.huntress.com/blog/citrixbleed-2-dragonforce-ransomware

ShareTweet
Previous Post

Huntress Uncovers ‘Vibe-Coded’ Malware Used to Map Active Directory Environments

Recent News

hand typing on keyboard

CitrixBleed 2 exploited in repeatable attack chain culminating in DragonForce ransomware, researchers find

July 9, 2026
malware

Huntress Uncovers ‘Vibe-Coded’ Malware Used to Map Active Directory Environments

July 8, 2026
Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

July 8, 2026
Kirsty Fowler, WorkNest Secure

Next Gen Spotlights: Building a More Resilient Future – Q&A with WorkNest Secure

July 8, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol