A critical Citrix flaw is giving intruders a fast route from an internet-facing gateway to a ransomware event.
The activity centers on CitrixBleed 2, tracked as CVE-2025-5777, which can expose memory from affected NetScaler ADC and Gateway appliances before a user signs in. That exposure lets attackers search for and reuse active session tokens.
The campaign does not rely on a victim entering a password or approving a sign-in request. Instead, malformed login requests can leak small pieces of appliance memory, allowing a threat actor to take over a live authenticated session.
Once inside, the attacker can move from ordinary user access to full control of a Windows environment.
After examining half a dozen intrusions at unrelated organizations between January and June 2026, analysts at Huntress identified a repeatable seven-stage playbook.
Huntress said in a report shared with Cyber Security News (CSN) that the cases involved the same access route, escalation technique, rogue accounts, and remote-control tools, indicating a standardized operation rather than isolated opportunistic attacks.
The consequences can arrive with alarming speed. In one incident, the operator progressed from initial access to ransomware deployment in under an hour. DragonForce was used in the most advanced case.
Hackers Can Go From CitrixBleed 2 Exploitation
CitrixBleed 2 is a memory-overread weakness in NetScaler systems configured as Gateway or AAA virtual servers. It is reachable before authentication through login endpoints, including pudoAuthentication.do, when a POST request contains an empty login parameter.
At first, the traffic can look like a password-spraying attempt because it produces a high volume of failed logins. Huntress found thousands of AAA LOGINFAILED events with unusual, nonprintable data in the User field.
That data was not a series of bad usernames, but leaked memory fragments containing headers, certificate material, and internal traffic details.
The key risk is session theft. In one case, a legitimate employee completed LDAP and multi-factor authentication from a known IP address; 21 minutes later, the same session was active from an attacker IP, without any successful attacker login.
.webp)
Replaying a stolen token makes multi-factor authentication ineffective because the session was already verified.
The intruder then used a portable Windows privilege-escalation tool to obtain SYSTEM-level access. The tool abused a registry symbolic link, forced a Group Policy update, and started the Application Management service, AppMgmt.
It subsequently created a local administrator account and cleaned up registry changes, making later investigation more difficult. While the observed chain was consistent across victims.
The attackers commonly added remote-management software, returned through RDP, inspected hosts and sessions, and in the furthest-progressed intrusion executed a DragonForce ransomware file that encrypted the affected environment.
Containment Cannot Wait
The incident pattern shows why patching alone is not enough after suspected exploitation. Stolen session tokens can remain usable after an appliance update, so organizations should terminate outstanding sessions on systems vulnerable to CVE-2025-5777.
They should also check whether exposed NetScaler services were patched successfully, since incomplete remediation enabled repeat access in some cases.
Log preservation is equally important. NetScaler logs can rotate quickly, leaving only a short window to find the malformed login requests, memory leakage, session anomalies, and diagnostic messages associated with the attack.
Forwarding appliance logs to a SIEM or another central repository gives responders a better chance to reconstruct the intrusion before that evidence disappears.
Administrators should review Citrix environments for unexpected accounts, particularly ctxsvc, CtxAppVCOMService, and test, while confirming whether any apparently suspicious test account is legitimate.
They should also investigate unplanned ScreenConnect or Zoho Assist installations and compare client-host details against remote-session records, including printer-mapping events that may reveal the operator workstation name.
Fast isolation limited encryption to one host in the ransomware case, but the broader lesson is prevention and rapid response.
Organizations that operate exposed NetScaler gateways should patch immediately, retain logs, terminate sessions, and look for the artifacts below. Treat a burst of strange failed logins as a possible memory-theft event, not merely a noisy password attack.
Indicators of compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Adversary account | ctxsvc | Account created or used by the adversary |
| Adversary account | CtxAppVCOMService | Account created or used by the adversary |
| Adversary account | test | Account created or used by the adversary |
| Adversary hostname | WIN-4E0AP4JTJR9 | Hostname observed in Citrix printer-mapping events |
| Adversary hostname | WIN-VI960VQI4I6 | Hostname observed in Citrix printer-mapping events |
| LPE tooling names | eng.exe, legal.exe, exsym.exe, as.exe, exp6.exe | Names used for privilege-escalation tooling |
| ScreenConnect installers | Us.msi, SC.msi | ScreenConnect installer names |
| Zoho Assist installer | za.msi | Zoho Assist installer name |
| Password-protected archives | asas.zip, ex.zip, update.zip | Archives retrieved from temp.sh |
| Ransomware file | 1.exe | DragonForce ransomware executable |
| SHA-256 | c84739655ce1af0a0269138263d47567418f69e0f75e249f8e23bc21802209e2 | Privilege-escalation tool hash |
| SHA-256 | eb083365dc70d0294e8c4f55a2e78be0edb0f3497f2a06a70c9f474dafab48d8 | Privilege-escalation tool hash |
| SHA-256 | c4fcae3847946173bf0b3cedf5d97a9e3d18090023842f942ba544fa7fda180d | DragonForce ransomware hash |
| Command line | cmd.exe /c sc start AppMgmt >nul 2>nul | Privilege-escalation command emission |
| Command line | cmd.exe /c gpupdate /force >nul 2>nul | Privilege-escalation command emission |
| Domain | relay.dltsolutions.top | ScreenConnect relay |
| Domain | relay.eurofin.digital | ScreenConnect relay |
| Domain | vpts.us | ScreenConnect relay |
| Domain | opa.tlsd.shop | NetBird relay |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.

