CitrixBleed 2 (CVE-2025-5777) 7 Steps to Dragonforce Ransomware
Between January and June 2026, multiple unrelated organizations experienced nearly identical intrusions following a standardized seven-step attack chain. The attacks exploited CitrixBleed 2 (CVE-2025-5777), a memory-overread vulnerability in NetScaler ADC and Gateway appliances. Attackers sent malformed pre-authentication login requests that leaked NetScaler memory containing valid session tokens, bypassing multi-factor authentication by hijacking active sessions. Following initial access, threat actors consistently escalated privileges to SYSTEM using a registry-symlink exploitation technique targeting the AppMgmt service, created rogue administrator accounts (CtxAppVCOMService, ctxsvc, test), and established persistence through legitimate remote access tools including ScreenConnect and Zoho Assist. The most advanced case culminated in DragonForce ransomware deployment. The highly standardized tradecraft, reused infrastructure, and consistent indicators across unrelated victims suggest a single Initial Ac...
AI Analysis
Technical Summary
Between January and June 2026, multiple unrelated organizations suffered intrusions exploiting CitrixBleed 2 (CVE-2025-5777), a memory-overread vulnerability in NetScaler ADC and Gateway appliances. Attackers sent malformed pre-authentication login requests that leaked NetScaler memory containing valid session tokens, enabling bypass of multi-factor authentication by hijacking active sessions. After initial access, threat actors escalated privileges to SYSTEM via a registry-symlink exploitation technique targeting the AppMgmt service, created rogue administrator accounts (CtxAppVCOMService, ctxsvc, test), and established persistence through legitimate remote access tools such as ScreenConnect and Zoho Assist. The attack chain is highly standardized, with reused infrastructure and consistent indicators, suggesting a single initial access broker. The most advanced incidents resulted in DragonForce ransomware deployment.
Potential Impact
Successful exploitation allows attackers to bypass multi-factor authentication by hijacking active sessions, gain SYSTEM-level privileges through privilege escalation, create unauthorized administrator accounts, and maintain persistent access via legitimate remote access tools. This can lead to full compromise of affected systems and deployment of ransomware, specifically DragonForce ransomware in observed cases.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the absence of confirmed patches, organizations should monitor for indicators of compromise related to this attack chain and restrict use of vulnerable NetScaler ADC and Gateway appliances where possible. Since this is not a cloud service, remediation depends on vendor patch availability and deployment by affected organizations.
Indicators of Compromise
- cve: CVE-2017-18362
- cve: CVE-2023-4966
- cve: CVE-2025-5777
- domain: doauthentication.do
- cve: CVE-2026-4368
- hash: c4fcae3847946173bf0b3cedf5d97a9e3d18090023842f942ba544fa7fda180d
- hash: c84739655ce1af0a0269138263d47567418f69e0f75e249f8e23bc21802209e2
- hash: eb083365dc70d0294e8c4f55a2e78be0edb0f3497f2a06a70c9f474dafab48d8
- url: http://relay.eurofin.digital:8041
- domain: vpts.us
- domain: opa.tlsd.shop
- domain: relay.dltsolutions.top
- domain: relay.eurofin.digital
CitrixBleed 2 (CVE-2025-5777) 7 Steps to Dragonforce Ransomware
Description
Between January and June 2026, multiple unrelated organizations experienced nearly identical intrusions following a standardized seven-step attack chain. The attacks exploited CitrixBleed 2 (CVE-2025-5777), a memory-overread vulnerability in NetScaler ADC and Gateway appliances. Attackers sent malformed pre-authentication login requests that leaked NetScaler memory containing valid session tokens, bypassing multi-factor authentication by hijacking active sessions. Following initial access, threat actors consistently escalated privileges to SYSTEM using a registry-symlink exploitation technique targeting the AppMgmt service, created rogue administrator accounts (CtxAppVCOMService, ctxsvc, test), and established persistence through legitimate remote access tools including ScreenConnect and Zoho Assist. The most advanced case culminated in DragonForce ransomware deployment. The highly standardized tradecraft, reused infrastructure, and consistent indicators across unrelated victims suggest a single Initial Ac...
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Between January and June 2026, multiple unrelated organizations suffered intrusions exploiting CitrixBleed 2 (CVE-2025-5777), a memory-overread vulnerability in NetScaler ADC and Gateway appliances. Attackers sent malformed pre-authentication login requests that leaked NetScaler memory containing valid session tokens, enabling bypass of multi-factor authentication by hijacking active sessions. After initial access, threat actors escalated privileges to SYSTEM via a registry-symlink exploitation technique targeting the AppMgmt service, created rogue administrator accounts (CtxAppVCOMService, ctxsvc, test), and established persistence through legitimate remote access tools such as ScreenConnect and Zoho Assist. The attack chain is highly standardized, with reused infrastructure and consistent indicators, suggesting a single initial access broker. The most advanced incidents resulted in DragonForce ransomware deployment.
Potential Impact
Successful exploitation allows attackers to bypass multi-factor authentication by hijacking active sessions, gain SYSTEM-level privileges through privilege escalation, create unauthorized administrator accounts, and maintain persistent access via legitimate remote access tools. This can lead to full compromise of affected systems and deployment of ransomware, specifically DragonForce ransomware in observed cases.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the absence of confirmed patches, organizations should monitor for indicators of compromise related to this attack chain and restrict use of vulnerable NetScaler ADC and Gateway appliances where possible. Since this is not a cloud service, remediation depends on vendor patch availability and deployment by affected organizations.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.huntress.com/blog/citrixbleed-2-dragonforce-ransomware"]
- Adversary
- DragonForce
- Pulse Id
- 6a4fa0227d951890d045e399
- Threat Score
- null
Indicators of Compromise
Cve
| Value | Description | Copy |
|---|---|---|
cveCVE-2017-18362 | — | |
cveCVE-2023-4966 | — | |
cveCVE-2025-5777 | — | |
cveCVE-2026-4368 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaindoauthentication.do | — | |
domainvpts.us | — | |
domainopa.tlsd.shop | — | |
domainrelay.dltsolutions.top | — | |
domainrelay.eurofin.digital | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashc4fcae3847946173bf0b3cedf5d97a9e3d18090023842f942ba544fa7fda180d | — | |
hashc84739655ce1af0a0269138263d47567418f69e0f75e249f8e23bc21802209e2 | — | |
hasheb083365dc70d0294e8c4f55a2e78be0edb0f3497f2a06a70c9f474dafab48d8 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://relay.eurofin.digital:8041 | — |
Threat ID: 6a50a01268715ace433595ca
Added to database: 07/10/2026, 07:32:34 UTC
Last enriched: 07/10/2026, 07:47:36 UTC
Last updated: 07/10/2026, 17:03:58 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.