CyberSecurityNews

Hackers Can Go From CitrixBleed 2 Exploitation to Ransomware in Under an Hour


A critical Citrix flaw is giving intruders a fast route from an internet-facing gateway to a ransomware event.

The activity centers on CitrixBleed 2, tracked as CVE-2025-5777, which can expose memory from affected NetScaler ADC and Gateway appliances before a user signs in. That exposure lets attackers search for and reuse active session tokens.

The campaign does not rely on a victim entering a password or approving a sign-in request. Instead, malformed login requests can leak small pieces of appliance memory, allowing a threat actor to take over a live authenticated session.

Once inside, the attacker can move from ordinary user access to full control of a Windows environment.

After examining half a dozen intrusions at unrelated organizations between January and June 2026, analysts at Huntress identified a repeatable seven-stage playbook.

Huntress said in a report shared with Cyber Security News (CSN) that the cases involved the same access route, escalation technique, rogue accounts, and remote-control tools, indicating a standardized operation rather than isolated opportunistic attacks.

Predictability and clustered behavior often presents the smoking gun for initial access (Source – Huntress)

The consequences can arrive with alarming speed. In one incident, the operator progressed from initial access to ransomware deployment in under an hour. DragonForce was used in the most advanced case.

Hackers Can Go From CitrixBleed 2 Exploitation

CitrixBleed 2 is a memory-overread weakness in NetScaler systems configured as Gateway or AAA virtual servers. It is reachable before authentication through login endpoints, including pudoAuthentication.do, when a POST request contains an empty login parameter.

At first, the traffic can look like a password-spraying attempt because it produces a high volume of failed logins. Huntress found thousands of AAA LOGINFAILED events with unusual, nonprintable data in the User field.

That data was not a series of bad usernames, but leaked memory fragments containing headers, certificate material, and internal traffic details.

The key risk is session theft. In one case, a legitimate employee completed LDAP and multi-factor authentication from a known IP address; 21 minutes later, the same session was active from an attacker IP, without any successful attacker login.

Citrix appliance ns.log entries (Source - Huntress)
Citrix appliance ns.log entries (Source – Huntress)

Replaying a stolen token makes multi-factor authentication ineffective because the session was already verified.

The intruder then used a portable Windows privilege-escalation tool to obtain SYSTEM-level access. The tool abused a registry symbolic link, forced a Group Policy update, and started the Application Management service, AppMgmt.

It subsequently created a local administrator account and cleaned up registry changes, making later investigation more difficult. While the observed chain was consistent across victims.

The attackers commonly added remote-management software, returned through RDP, inspected hosts and sessions, and in the furthest-progressed intrusion executed a DragonForce ransomware file that encrypted the affected environment.

Containment Cannot Wait

The incident pattern shows why patching alone is not enough after suspected exploitation. Stolen session tokens can remain usable after an appliance update, so organizations should terminate outstanding sessions on systems vulnerable to CVE-2025-5777.

They should also check whether exposed NetScaler services were patched successfully, since incomplete remediation enabled repeat access in some cases.

Log preservation is equally important. NetScaler logs can rotate quickly, leaving only a short window to find the malformed login requests, memory leakage, session anomalies, and diagnostic messages associated with the attack.

Forwarding appliance logs to a SIEM or another central repository gives responders a better chance to reconstruct the intrusion before that evidence disappears.

Administrators should review Citrix environments for unexpected accounts, particularly ctxsvc, CtxAppVCOMService, and test, while confirming whether any apparently suspicious test account is legitimate.

They should also investigate unplanned ScreenConnect or Zoho Assist installations and compare client-host details against remote-session records, including printer-mapping events that may reveal the operator workstation name.

Fast isolation limited encryption to one host in the ransomware case, but the broader lesson is prevention and rapid response.

Organizations that operate exposed NetScaler gateways should patch immediately, retain logs, terminate sessions, and look for the artifacts below. Treat a burst of strange failed logins as a possible memory-theft event, not merely a noisy password attack.

Indicators of compromise (IoCs):-

TypeIndicatorDescription
Adversary accountctxsvcAccount created or used by the adversary 
Adversary accountCtxAppVCOMServiceAccount created or used by the adversary 
Adversary accounttestAccount created or used by the adversary 
Adversary hostnameWIN-4E0AP4JTJR9Hostname observed in Citrix printer-mapping events 
Adversary hostnameWIN-VI960VQI4I6Hostname observed in Citrix printer-mapping events 
LPE tooling nameseng.exelegal.exeexsym.exeas.exeexp6.exeNames used for privilege-escalation tooling 
ScreenConnect installersUs.msiSC.msiScreenConnect installer names 
Zoho Assist installerza.msiZoho Assist installer name 
Password-protected archivesasas.zipex.zipupdate.zipArchives retrieved from temp.sh 
Ransomware file1.exeDragonForce ransomware executable 
SHA-256c84739655ce1af0a0269138263d47567418f69e0f75e249f8e23bc21802209e2Privilege-escalation tool hash 
SHA-256eb083365dc70d0294e8c4f55a2e78be0edb0f3497f2a06a70c9f474dafab48d8Privilege-escalation tool hash 
SHA-256c4fcae3847946173bf0b3cedf5d97a9e3d18090023842f942ba544fa7fda180dDragonForce ransomware hash 
Command linecmd.exe /c sc start AppMgmt >nul 2>nulPrivilege-escalation command emission 
Command linecmd.exe /c gpupdate /force >nul 2>nulPrivilege-escalation command emission 
Domainrelay.dltsolutions.topScreenConnect relay 
Domainrelay.eurofin.digitalScreenConnect relay 
Domainvpts.usScreenConnect relay 
Domainopa.tlsd.shopNetBird relay 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.



Source link