{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3acitrixnetscaler_application_delivery_controllerndcpp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:*","cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:ndcpp:*:*:*","cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*","cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2025-5777"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NetScaler"],"_cs_severities":["high"],"_cs_tags":["ransomware","initial-access","privilege-escalation","persistence","citrix","netscaler","dragonforce"],"_cs_type":"threat","_cs_vendors":["Citrix"],"content_html":"\u003cp\u003eHuntress has observed a coordinated campaign across the first half of 2026 where Initial Access Brokers (IABs) are exploiting CVE-2025-5777, dubbed \u0026quot;CitrixBleed 2\u0026quot;, on Citrix NetScaler appliances. This critical vulnerability allows attackers to leak NetScaler memory via malformed pre-authentication login requests, enabling the theft and replay of valid session tokens to bypass multi-factor authentication. Once initial access is gained, the attackers employ a standardized playbook involving novel local privilege escalation techniques, such as a registry-symlink/AppMgmt trick, to obtain SYSTEM privileges. They then establish persistence by creating rogue local administrator accounts and installing legitimate remote access tools like ScreenConnect and Zoho Assist. The final stage of these intrusions is the deployment of Dragonforce ransomware, encrypting victim data for impact.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: Attackers exploit CVE-2025-5777 (CitrixBleed 2) on exposed NetScaler appliances by sending malformed pre-authentication login requests, causing memory leakage and the theft of valid session tokens.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Bypass\u003c/strong\u003e: Stolen valid session tokens are replayed to hijack active user sessions, effectively bypassing multi-factor authentication and gaining authenticated access to the target environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation\u003c/strong\u003e: SYSTEM-level privileges are achieved using a \u0026quot;registry-symlink/AppMgmt trick\u0026quot;, likely executed via command line instructions such as \u003ccode\u003ecmd.exe /c sc start AppMgmt \u0026gt;nul 2\u0026gt;nul\u003c/code\u003e and \u003ccode\u003ecmd.exe /c gpupdate /force \u0026gt;nul 2\u0026gt;nul\u003c/code\u003e, and leveraging LPE tooling like \u003ccode\u003eeng.exe\u003c/code\u003e or \u003ccode\u003elegal.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion \u0026amp; Persistence\u003c/strong\u003e: Rogue local administrator accounts, including \u003ccode\u003ectxsvc\u003c/code\u003e, \u003ccode\u003eCtxAppVCOMService\u003c/code\u003e, and \u003ccode\u003etest\u003c/code\u003e, are created to maintain access and evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence \u0026amp; Command and Control\u003c/strong\u003e: Legitimate remote access tools like ScreenConnect (\u003ccode\u003eUs.msi\u003c/code\u003e, \u003ccode\u003eSC.msi\u003c/code\u003e) and Zoho Assist (\u003ccode\u003eza.msi\u003c/code\u003e) are installed to establish persistent remote access and maintain C2 communications via relays such as \u003ccode\u003erelay.dltsolutions[.]top\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCollection \u0026amp; Staging\u003c/strong\u003e: Attackers create password-protected archives (e.g., \u003ccode\u003easas.zip\u003c/code\u003e, \u003ccode\u003eex.zip\u003c/code\u003e) and upload them to temporary file hosting services like \u003ccode\u003etemp[.]sh\u003c/code\u003e, likely for data staging prior to exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: Dragonforce ransomware (\u003ccode\u003e1.exe\u003c/code\u003e) is executed, encrypting files on compromised systems, leading to significant disruption and data loss.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIn the first half of 2026, Huntress observed a half-dozen strikingly similar intrusions across unrelated organizations that followed this seven-step attack chain, culminating in Dragonforce ransomware deployment. This indicates a highly standardized and effective operational playbook by Initial Access Brokers. Successful compromise results in complete system takeover, potential data exfiltration, and the encryption of critical business data, leading to severe operational disruption, financial loss from ransom payments, and potential reputational damage. The ability to bypass MFA renders traditional access controls ineffective once the initial vulnerability is exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all exposed Citrix NetScaler appliances against CVE-2025-5777 to prevent initial access.\u003c/li\u003e\n\u003cli\u003eImplement detections for the execution of suspicious LPE commands like \u003ccode\u003ecmd.exe /c sc start AppMgmt \u0026gt;nul 2\u0026gt;nul\u003c/code\u003e and \u003ccode\u003ecmd.exe /c gpupdate /force \u0026gt;nul 2\u0026gt;nul\u003c/code\u003e by deploying the \u0026quot;Detect Suspicious AppMgmt Service Interaction for LPE\u0026quot; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of new local administrator accounts with unusual names such as \u003ccode\u003ectxsvc\u003c/code\u003e, \u003ccode\u003eCtxAppVCOMService\u003c/code\u003e, or \u003ccode\u003etest\u003c/code\u003e using the \u0026quot;Detect Suspicious Local Administrator Account Creation\u0026quot; Sigma rule.\u003c/li\u003e\n\u003cli\u003eBlock inbound and outbound connections to the C2 domains \u003ccode\u003erelay.dltsolutions[.]top\u003c/code\u003e, \u003ccode\u003erelay.eurofin[.]digital\u003c/code\u003e, \u003ccode\u003evpts[.]us\u003c/code\u003e, and \u003ccode\u003eopa[.]tlsd[.]shop\u003c/code\u003e at your network perimeter.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026quot;Detect Installation of Legitimate Remote Access Software by MSI\u0026quot; Sigma rule to identify unauthorized deployments of ScreenConnect or Zoho Assist.\u003c/li\u003e\n\u003cli\u003eScan endpoints for the Dragonforce ransomware hash \u003ccode\u003ec4fcae3847946173bf0b3cedf5d97a9e3d18090023842f942ba544fa7fda180d\u003c/code\u003e and block execution.\u003c/li\u003e\n\u003cli\u003eReview and terminate all outstanding user sessions on NetScaler appliances and conduct an audit for any suspicious accounts or remote management tooling not authorized by your organization.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T20:25:12Z","date_published":"2026-07-09T20:25:12Z","id":"https://feed.craftedsignal.io/briefs/2026-07-citrixbleed2-dragonforce/","summary":"Initial Access Brokers are actively exploiting CitrixBleed 2 (CVE-2025-5777) on NetScaler appliances to steal session tokens, achieve local privilege escalation, establish persistence via legitimate remote access tools, and ultimately deploy Dragonforce ransomware.","title":"CitrixBleed 2 (CVE-2025-5777) Exploitation Leading to Dragonforce Ransomware","url":"https://feed.craftedsignal.io/briefs/2026-07-citrixbleed2-dragonforce/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:ndcpp:*:*:*","version":"https://jsonfeed.org/version/1.1"}