CitrixBleed 2 (CVE-2025-5777) Exploitation Leading to Dragonforce Ransomware
Initial Access Brokers are actively exploiting CitrixBleed 2 (CVE-2025-5777) on NetScaler appliances to steal session tokens, achieve local privilege escalation, establish persistence via legitimate remote access tools, and ultimately deploy Dragonforce ransomware.
Huntress has observed a coordinated campaign across the first half of 2026 where Initial Access Brokers (IABs) are exploiting CVE-2025-5777, dubbed "CitrixBleed 2", on Citrix NetScaler appliances. This critical vulnerability allows attackers to leak NetScaler memory via malformed pre-authentication login requests, enabling the theft and replay of valid session tokens to bypass multi-factor authentication. Once initial access is gained, the attackers employ a standardized playbook involving novel local privilege escalation techniques, such as a registry-symlink/AppMgmt trick, to obtain SYSTEM privileges. They then establish persistence by creating rogue local administrator accounts and installing legitimate remote access tools like ScreenConnect and Zoho Assist. The final stage of these intrusions is the deployment of Dragonforce ransomware, encrypting victim data for impact.
Attack Chain
- Initial Access: Attackers exploit CVE-2025-5777 (CitrixBleed 2) on exposed NetScaler appliances by sending malformed pre-authentication login requests, causing memory leakage and the theft of valid session tokens.
- Authentication Bypass: Stolen valid session tokens are replayed to hijack active user sessions, effectively bypassing multi-factor authentication and gaining authenticated access to the target environment.
- Privilege Escalation: SYSTEM-level privileges are achieved using a "registry-symlink/AppMgmt trick", likely executed via command line instructions such as
cmd.exe /c sc start AppMgmt >nul 2>nulandcmd.exe /c gpupdate /force >nul 2>nul, and leveraging LPE tooling likeeng.exeorlegal.exe. - Defense Evasion & Persistence: Rogue local administrator accounts, including
ctxsvc,CtxAppVCOMService, andtest, are created to maintain access and evade detection. - Persistence & Command and Control: Legitimate remote access tools like ScreenConnect (
Us.msi,SC.msi) and Zoho Assist (za.msi) are installed to establish persistent remote access and maintain C2 communications via relays such asrelay.dltsolutions[.]top. - Collection & Staging: Attackers create password-protected archives (e.g.,
asas.zip,ex.zip) and upload them to temporary file hosting services liketemp[.]sh, likely for data staging prior to exfiltration. - Impact: Dragonforce ransomware (
1.exe) is executed, encrypting files on compromised systems, leading to significant disruption and data loss.
Impact
In the first half of 2026, Huntress observed a half-dozen strikingly similar intrusions across unrelated organizations that followed this seven-step attack chain, culminating in Dragonforce ransomware deployment. This indicates a highly standardized and effective operational playbook by Initial Access Brokers. Successful compromise results in complete system takeover, potential data exfiltration, and the encryption of critical business data, leading to severe operational disruption, financial loss from ransom payments, and potential reputational damage. The ability to bypass MFA renders traditional access controls ineffective once the initial vulnerability is exploited.
Recommendation
- Immediately patch all exposed Citrix NetScaler appliances against CVE-2025-5777 to prevent initial access.
- Implement detections for the execution of suspicious LPE commands like
cmd.exe /c sc start AppMgmt >nul 2>nulandcmd.exe /c gpupdate /force >nul 2>nulby deploying the "Detect Suspicious AppMgmt Service Interaction for LPE" Sigma rule. - Monitor for the creation of new local administrator accounts with unusual names such as
ctxsvc,CtxAppVCOMService, ortestusing the "Detect Suspicious Local Administrator Account Creation" Sigma rule. - Block inbound and outbound connections to the C2 domains
relay.dltsolutions[.]top,relay.eurofin[.]digital,vpts[.]us, andopa[.]tlsd[.]shopat your network perimeter. - Deploy the "Detect Installation of Legitimate Remote Access Software by MSI" Sigma rule to identify unauthorized deployments of ScreenConnect or Zoho Assist.
- Scan endpoints for the Dragonforce ransomware hash
c4fcae3847946173bf0b3cedf5d97a9e3d18090023842f942ba544fa7fda180dand block execution. - Review and terminate all outstanding user sessions on NetScaler appliances and conduct an audit for any suspicious accounts or remote management tooling not authorized by your organization.
Detection coverage 4
Detect Suspicious AppMgmt Service Interaction for LPE
highDetects command line patterns indicative of the registry-symlink/AppMgmt privilege escalation trick used by attackers to gain SYSTEM privileges. This includes starting the AppMgmt service and forcing group policy updates, often seen together in LPE chains.
Detect Suspicious Local Administrator Account Creation
highDetects the creation of specific local administrator accounts (`ctxsvc`, `CtxAppVCOMService`, `test`) identified as adversary accounts in Dragonforce ransomware attacks following CitrixBleed 2 exploitation.
Detect Installation of Legitimate Remote Access Software by MSI
mediumDetects process creation events for msiexec installing known legitimate remote access tools (ScreenConnect, Zoho Assist) with specific installer file names identified in Dragonforce ransomware attacks. This can indicate unauthorized persistence.
Detect Dragonforce Ransomware Execution (1.exe)
criticalDetects the execution of the Dragonforce ransomware payload named '1.exe' with a specific SHA256 hash observed in attacks following CitrixBleed 2 exploitation.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
4
domain
3
hash_sha256
| Type | Value |
|---|---|
| hash_sha256 | c84739655ce1af0a0269138263d47567418f69e0f75e249f8e23bc21802209e2 |
| hash_sha256 | eb083365dc70d0294e8c4f55a2e78be0edb0f3497f2a06a70c9f474dafab48d8 |
| hash_sha256 | c4fcae3847946173bf0b3cedf5d97a9e3d18090023842f942ba544fa7fda180d |
| domain | relay.dltsolutions[.]top |
| domain | relay.eurofin[.]digital |
| domain | vpts[.]us |
| domain | opa[.]tlsd[.]shop |