CitrixBleed 2 (CVE-2025-5777) weaponised into a repeatable IAB kill chain ending in DragonForce ransomware (STAC3725)
Across the first half of 2026 the Huntress Tactical Response unit worked at least six intrusions at unrelated organisations that reproduced the same seven-step kill chain so faithfully that analysts could predict the next artefact before pulling the log — the basis for their high-confidence assessment that an initial-access broker (IAB) has productised the path from an internet-facing Citrix box to domain-wide encryption, a cluster Sophos independently tracks as STAC3725 (Huntress, 2026-07-09; Sophos X-Ops, 2026-04-16). Initial access is pre-auth exploitation of CitrixBleed 2 (CVE-2025-5777), a memory over-read in NetScaler ADC/Gateway configured as a Gateway or AAA virtual server: a POST to the login endpoint (/p/u/doAuthentication.do and equivalents) with the login form variable present but empty makes the appliance serialise roughly 127 bytes of adjacent process memory into the response, and sprayed at volume this yields live session tokens (T1190, T1550.001). In one reconstructed case a user authenticated normally over LDAP+MFA from a known-good IP at 13:07 UTC; twenty-one minutes later the same session was driven from the attacker's IP with no successful authentication from that IP anywhere in the logs — token replay, with MFA already satisfied and therefore irrelevant (Huntress, 2026-07-09).
The privilege-escalation primitive is what makes the cluster unmistakable, because the hijacked session usually belongs to an unprivileged employee and the operator carries a portable, unsigned LPE tool (dropped to working paths such as C:\temp and renamed per victim — eng.exe, legal.exe, as.exe — often inside a password-protected archive pulled from temp.sh). The tool plants a REG_LINK SymbolicLinkValue under the RdpBus device-class key {28d78fad-5a12-11d1-ae5b-0000f803a8c2} that redirects into the Group Policy state hierarchy (T1112); running gpupdate forces the SYSTEM-context Group Policy engine to write through the planted link into a protected key, and sc start AppMgmt then makes the Service Control Manager relaunch the dropper as NT AUTHORITY\SYSTEM, which creates a backdoor administrator via net user … /add and net localgroup Administrators … /add (T1068, T1136.001, T1098). AppMgmt is chosen because it is always present, normally dormant, and plausibly related to policy processing. Before detonating, the tool snapshots the original key tree and restores it afterwards, leaving the registry indistinguishable from its pre-exploit state to erase the artefacts a responder would key on (T1070). Persistence then rides legitimate remote-management software — ScreenConnect and Zoho Assist, in one case Netbird plus Atera (T1219) — and in the most advanced case the operator used PsExec, Impacket and Mimikatz for lateral movement and credential access (T1003, T1570) before deploying DragonForce ransomware, contained to a single host (T1486). Huntress declines a firm DragonForce-affiliate-versus-IAB attribution given the tactic overlap, and ruled out an alternative NetScaler session-management race-condition flaw because the affected build and the required already-authenticated session to race against did not fit the evidence.
By spraying enough of those requests, an adversary can then sift through the heap fragments for valid session tokens of someone who is currently logged in.
The cleanup serves to evade detection: by leaving the registry indistinguishable from its pre-exploit state, the tool removes the artifacts a responder would normally key on.
Huntress assesses with high confidence that the activity is the work of an initial access broker (IAB) weaponising CVE-2025-5777 to gain footholds in Citrix environments before selling or handing off access, ultimately for the purpose of ransomware deployment.
Defender actions
- Patch every internet-facing NetScaler ADC/Gateway to the fixed build in Citrix's NetScaler security bulletin for CVE-2025-5777 now, and after patching terminate ALL active ICA/PCoIP and AAA sessions — tokens harvested via CVE-2025-5777 remain valid across the patch.
- Hunt NetScaler ns.log for a burst of AAA LOGIN_FAILED events carrying binary/unprintable User values from a single source IP, and for any authenticated session driven from an IP that has no preceding successful authentication.
- Forward NetScaler logs off-box to a SIEM before hunting — on-device ns.log rotates fast enough to lose the evidence.
- Alert on gpupdate followed closely by an AppMgmt (Application Management) service start and a new SYSTEM-context process, and on net user / net localgroup Administrators account creation outside change management.
- Inventory endpoints for unexpected ScreenConnect, Zoho Assist, Netbird or Atera installs not tied to a sanctioned RMM deployment.
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.