ctipilot.ch

STAC3725 CitrixBleed 2-to-DragonForce IAB chain

campaign · campaign:stac3725-citrixbleed2-iab-dragonforce

Repeatable initial-access-broker kill chain (Sophos: STAC3725): CVE-2025-5777 (CitrixBleed 2) session-token theft on NetScaler Gateway, a registry-symlink/AppMgmt SYSTEM privilege-escalation tool, ScreenConnect/Zoho Assist persistence, and DragonForce ransomware in the most progressed case (Huntress, 2026-07-09; Sophos, 2026-02).

Aliases: CitrixBleed 2 initial-access-broker runbook

Coverage timeline
1
first 2026-07-10 → last 2026-07-10
Peak priority
high
1 high
Sources cited
3
3 hosts
Sections touched
1
deep-dive
Co-occurring entities
2
see Related entities below
ATT&CK techniques
11
pinned v19.1 · see below

Hunting pivots

Affected products
Citrix NetScaler ADCCitrix NetScaler Gateway

ATT&CK techniques

11 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · ATT&CK page ↗

Persistence TA0003

T1098Account Manipulation×1

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · ATT&CK page ↗

T1112Modify Registry×1

Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · ATT&CK page ↗

T1136.001Create Account: Local Account×1

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · ATT&CK page ↗

Privilege Escalation TA0004

T1068Exploitation for Privilege Escalation×1

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · ATT&CK page ↗

T1098Account Manipulation×1

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · ATT&CK page ↗

Stealth TA0005

T1070Indicator Removal×1

Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · ATT&CK page ↗

Defense Impairment TA0112

T1112Modify Registry×1

Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · ATT&CK page ↗

Credential Access TA0006

T1003OS Credential Dumping×1

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. Credentials can then be used to perform Lateral Movement and access restricted information.

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · ATT&CK page ↗

Lateral Movement TA0008

T1550.001Use Alternate Authentication Material: Application Access Token×1

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · ATT&CK page ↗

T1570Lateral Tool Transfer×1

Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · ATT&CK page ↗

Command and Control TA0011

T1219Remote Access Tools×1

An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software (usually graphical interface) and remote management software (typically command line interface) allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management. Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · ATT&CK page ↗

Impact TA0040

T1486Data Encrypted for Impact×1

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · ATT&CK page ↗

Story timeline

  1. 2026-07-10CitrixBleed 2 (CVE-2025-5777) weaponised into a repeatable IAB kill chain ending in DragonForce ransomware (STAC3725)
    deep-diveHuntress reconstructs a productised CitrixBleed 2-to-DragonForce runbook: token theft, a registry-symlink SYSTEM escalation, then ransomware

Where this entity is cited

  • deep-dive1

Source distribution

  • huntress.com1 (33%)
  • itsecurityguru.org1 (33%)
  • sophos.com1 (33%)

Related entities

Entries about STAC3725 CitrixBleed 2-to-DragonForce IAB chain (1)

2026-07-10 · view entry permalink →

HIGHCVE-2025-5777exploited

CitrixBleed 2 (CVE-2025-5777) weaponised into a repeatable IAB kill chain ending in DragonForce ransomware (STAC3725)

Across the first half of 2026 the Huntress Tactical Response unit worked at least six intrusions at unrelated organisations that reproduced the same seven-step kill chain so faithfully that analysts could predict the next artefact before pulling the log — the basis for their high-confidence assessment that an initial-access broker (IAB) has productised the path from an internet-facing Citrix box to domain-wide encryption, a cluster Sophos independently tracks as STAC3725 (Huntress, 2026-07-09; Sophos X-Ops, 2026-04-16). Initial access is pre-auth exploitation of CitrixBleed 2 (CVE-2025-5777), a memory over-read in NetScaler ADC/Gateway configured as a Gateway or AAA virtual server: a POST to the login endpoint (/p/u/doAuthentication.do and equivalents) with the login form variable present but empty makes the appliance serialise roughly 127 bytes of adjacent process memory into the response, and sprayed at volume this yields live session tokens (T1190, T1550.001). In one reconstructed case a user authenticated normally over LDAP+MFA from a known-good IP at 13:07 UTC; twenty-one minutes later the same session was driven from the attacker's IP with no successful authentication from that IP anywhere in the logs — token replay, with MFA already satisfied and therefore irrelevant (Huntress, 2026-07-09).

The privilege-escalation primitive is what makes the cluster unmistakable, because the hijacked session usually belongs to an unprivileged employee and the operator carries a portable, unsigned LPE tool (dropped to working paths such as C:\temp and renamed per victim — eng.exe, legal.exe, as.exe — often inside a password-protected archive pulled from temp.sh). The tool plants a REG_LINK SymbolicLinkValue under the RdpBus device-class key {28d78fad-5a12-11d1-ae5b-0000f803a8c2} that redirects into the Group Policy state hierarchy (T1112); running gpupdate forces the SYSTEM-context Group Policy engine to write through the planted link into a protected key, and sc start AppMgmt then makes the Service Control Manager relaunch the dropper as NT AUTHORITY\SYSTEM, which creates a backdoor administrator via net user … /add and net localgroup Administrators … /add (T1068, T1136.001, T1098). AppMgmt is chosen because it is always present, normally dormant, and plausibly related to policy processing. Before detonating, the tool snapshots the original key tree and restores it afterwards, leaving the registry indistinguishable from its pre-exploit state to erase the artefacts a responder would key on (T1070). Persistence then rides legitimate remote-management software — ScreenConnect and Zoho Assist, in one case Netbird plus Atera (T1219) — and in the most advanced case the operator used PsExec, Impacket and Mimikatz for lateral movement and credential access (T1003, T1570) before deploying DragonForce ransomware, contained to a single host (T1486). Huntress declines a firm DragonForce-affiliate-versus-IAB attribution given the tactic overlap, and ruled out an alternative NetScaler session-management race-condition flaw because the affected build and the required already-authenticated session to race against did not fit the evidence.

By spraying enough of those requests, an adversary can then sift through the heap fragments for valid session tokens of someone who is currently logged in.

The cleanup serves to evade detection: by leaving the registry indistinguishable from its pre-exploit state, the tool removes the artifacts a responder would normally key on.

Huntress 2026-07-09

Huntress assesses with high confidence that the activity is the work of an initial access broker (IAB) weaponising CVE-2025-5777 to gain footholds in Citrix environments before selling or handing off access, ultimately for the purpose of ransomware deployment.

IT Security Guru 2026-07-09
threat10 Jul 04:36Zmulti-sourceOpen finding ↗