Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 86.7%top 0.28%

CitrixBleed 2 (CVE-2025-5777) 7 Steps to Dragonforce Ransomware

0
Medium
Published: 07/09/2026 (07/09/2026, 13:20:34 UTC)
Source: AlienVault OTX General

Description

Between January and June 2026, multiple unrelated organizations experienced nearly identical intrusions following a standardized seven-step attack chain. The attacks exploited CitrixBleed 2 (CVE-2025-5777), a memory-overread vulnerability in NetScaler ADC and Gateway appliances. Attackers sent malformed pre-authentication login requests that leaked NetScaler memory containing valid session tokens, bypassing multi-factor authentication by hijacking active sessions. Following initial access, threat actors consistently escalated privileges to SYSTEM using a registry-symlink exploitation technique targeting the AppMgmt service, created rogue administrator accounts (CtxAppVCOMService, ctxsvc, test), and established persistence through legitimate remote access tools including ScreenConnect and Zoho Assist. The most advanced case culminated in DragonForce ransomware deployment. The highly standardized tradecraft, reused infrastructure, and consistent indicators across unrelated victims suggest a single Initial Ac...

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 07:47:36 UTC

Technical Analysis

Between January and June 2026, multiple unrelated organizations suffered intrusions exploiting CitrixBleed 2 (CVE-2025-5777), a memory-overread vulnerability in NetScaler ADC and Gateway appliances. Attackers sent malformed pre-authentication login requests that leaked NetScaler memory containing valid session tokens, enabling bypass of multi-factor authentication by hijacking active sessions. After initial access, threat actors escalated privileges to SYSTEM via a registry-symlink exploitation technique targeting the AppMgmt service, created rogue administrator accounts (CtxAppVCOMService, ctxsvc, test), and established persistence through legitimate remote access tools such as ScreenConnect and Zoho Assist. The attack chain is highly standardized, with reused infrastructure and consistent indicators, suggesting a single initial access broker. The most advanced incidents resulted in DragonForce ransomware deployment.

Potential Impact

Successful exploitation allows attackers to bypass multi-factor authentication by hijacking active sessions, gain SYSTEM-level privileges through privilege escalation, create unauthorized administrator accounts, and maintain persistent access via legitimate remote access tools. This can lead to full compromise of affected systems and deployment of ransomware, specifically DragonForce ransomware in observed cases.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the absence of confirmed patches, organizations should monitor for indicators of compromise related to this attack chain and restrict use of vulnerable NetScaler ADC and Gateway appliances where possible. Since this is not a cloud service, remediation depends on vendor patch availability and deployment by affected organizations.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.huntress.com/blog/citrixbleed-2-dragonforce-ransomware"]
Adversary
DragonForce
Pulse Id
6a4fa0227d951890d045e399
Threat Score
null

Indicators of Compromise

Cve

ValueDescriptionCopy
cveCVE-2017-18362
cveCVE-2023-4966
cveCVE-2025-5777
cveCVE-2026-4368

Domain

ValueDescriptionCopy
domaindoauthentication.do
domainvpts.us
domainopa.tlsd.shop
domainrelay.dltsolutions.top
domainrelay.eurofin.digital

Hash

ValueDescriptionCopy
hashc4fcae3847946173bf0b3cedf5d97a9e3d18090023842f942ba544fa7fda180d
hashc84739655ce1af0a0269138263d47567418f69e0f75e249f8e23bc21802209e2
hasheb083365dc70d0294e8c4f55a2e78be0edb0f3497f2a06a70c9f474dafab48d8

Url

ValueDescriptionCopy
urlhttp://relay.eurofin.digital:8041

Threat ID: 6a50a01268715ace433595ca

Added to database: 07/10/2026, 07:32:34 UTC

Last enriched: 07/10/2026, 07:47:36 UTC

Last updated: 07/10/2026, 17:03:58 UTC

Views: 6

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses