<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:* - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/cpes/cpe2.3acitrixnetscaler_gateway/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 20:25:12 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/cpes/cpe2.3acitrixnetscaler_gateway/feed.xml" rel="self" type="application/rss+xml"/><item><title>CitrixBleed 2 (CVE-2025-5777) Exploitation Leading to Dragonforce Ransomware</title><link>https://feed.craftedsignal.io/briefs/2026-07-citrixbleed2-dragonforce/</link><pubDate>Thu, 09 Jul 2026 20:25:12 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-citrixbleed2-dragonforce/</guid><description>Initial Access Brokers are actively exploiting CitrixBleed 2 (CVE-2025-5777) on NetScaler appliances to steal session tokens, achieve local privilege escalation, establish persistence via legitimate remote access tools, and ultimately deploy Dragonforce ransomware.</description><content:encoded><![CDATA[<p>Huntress has observed a coordinated campaign across the first half of 2026 where Initial Access Brokers (IABs) are exploiting CVE-2025-5777, dubbed &quot;CitrixBleed 2&quot;, on Citrix NetScaler appliances. This critical vulnerability allows attackers to leak NetScaler memory via malformed pre-authentication login requests, enabling the theft and replay of valid session tokens to bypass multi-factor authentication. Once initial access is gained, the attackers employ a standardized playbook involving novel local privilege escalation techniques, such as a registry-symlink/AppMgmt trick, to obtain SYSTEM privileges. They then establish persistence by creating rogue local administrator accounts and installing legitimate remote access tools like ScreenConnect and Zoho Assist. The final stage of these intrusions is the deployment of Dragonforce ransomware, encrypting victim data for impact.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: Attackers exploit CVE-2025-5777 (CitrixBleed 2) on exposed NetScaler appliances by sending malformed pre-authentication login requests, causing memory leakage and the theft of valid session tokens.</li>
<li><strong>Authentication Bypass</strong>: Stolen valid session tokens are replayed to hijack active user sessions, effectively bypassing multi-factor authentication and gaining authenticated access to the target environment.</li>
<li><strong>Privilege Escalation</strong>: SYSTEM-level privileges are achieved using a &quot;registry-symlink/AppMgmt trick&quot;, likely executed via command line instructions such as <code>cmd.exe /c sc start AppMgmt &gt;nul 2&gt;nul</code> and <code>cmd.exe /c gpupdate /force &gt;nul 2&gt;nul</code>, and leveraging LPE tooling like <code>eng.exe</code> or <code>legal.exe</code>.</li>
<li><strong>Defense Evasion &amp; Persistence</strong>: Rogue local administrator accounts, including <code>ctxsvc</code>, <code>CtxAppVCOMService</code>, and <code>test</code>, are created to maintain access and evade detection.</li>
<li><strong>Persistence &amp; Command and Control</strong>: Legitimate remote access tools like ScreenConnect (<code>Us.msi</code>, <code>SC.msi</code>) and Zoho Assist (<code>za.msi</code>) are installed to establish persistent remote access and maintain C2 communications via relays such as <code>relay.dltsolutions[.]top</code>.</li>
<li><strong>Collection &amp; Staging</strong>: Attackers create password-protected archives (e.g., <code>asas.zip</code>, <code>ex.zip</code>) and upload them to temporary file hosting services like <code>temp[.]sh</code>, likely for data staging prior to exfiltration.</li>
<li><strong>Impact</strong>: Dragonforce ransomware (<code>1.exe</code>) is executed, encrypting files on compromised systems, leading to significant disruption and data loss.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>In the first half of 2026, Huntress observed a half-dozen strikingly similar intrusions across unrelated organizations that followed this seven-step attack chain, culminating in Dragonforce ransomware deployment. This indicates a highly standardized and effective operational playbook by Initial Access Brokers. Successful compromise results in complete system takeover, potential data exfiltration, and the encryption of critical business data, leading to severe operational disruption, financial loss from ransom payments, and potential reputational damage. The ability to bypass MFA renders traditional access controls ineffective once the initial vulnerability is exploited.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch all exposed Citrix NetScaler appliances against CVE-2025-5777 to prevent initial access.</li>
<li>Implement detections for the execution of suspicious LPE commands like <code>cmd.exe /c sc start AppMgmt &gt;nul 2&gt;nul</code> and <code>cmd.exe /c gpupdate /force &gt;nul 2&gt;nul</code> by deploying the &quot;Detect Suspicious AppMgmt Service Interaction for LPE&quot; Sigma rule.</li>
<li>Monitor for the creation of new local administrator accounts with unusual names such as <code>ctxsvc</code>, <code>CtxAppVCOMService</code>, or <code>test</code> using the &quot;Detect Suspicious Local Administrator Account Creation&quot; Sigma rule.</li>
<li>Block inbound and outbound connections to the C2 domains <code>relay.dltsolutions[.]top</code>, <code>relay.eurofin[.]digital</code>, <code>vpts[.]us</code>, and <code>opa[.]tlsd[.]shop</code> at your network perimeter.</li>
<li>Deploy the &quot;Detect Installation of Legitimate Remote Access Software by MSI&quot; Sigma rule to identify unauthorized deployments of ScreenConnect or Zoho Assist.</li>
<li>Scan endpoints for the Dragonforce ransomware hash <code>c4fcae3847946173bf0b3cedf5d97a9e3d18090023842f942ba544fa7fda180d</code> and block execution.</li>
<li>Review and terminate all outstanding user sessions on NetScaler appliances and conduct an audit for any suspicious accounts or remote management tooling not authorized by your organization.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>ransomware</category><category>initial-access</category><category>privilege-escalation</category><category>persistence</category><category>citrix</category><category>netscaler</category><category>dragonforce</category></item></channel></rss>