STAC3725 is an intrusion campaign first observed by Sophos in February 2026. It exploits CitrixBleed2 (CVE-2025-5777) affecting NetScaler ADC and Gateway instances for initial access, then installs a malicious ScreenConnect client for persistence and control. Sophos reported that the campaign abuses QEMU to launch a hidden Alpine Linux virtual machine on compromised hosts, allowing post-compromise activity to evade host-based endpoint security visibility. Reported STAC3725 activity includes creation of a rogue local administrator account named CtxAppVCOMService, installation of a service named AppMgmt, deployment of remote access software, and extraction of a QEMU package that launches qemu-system-x86_64.exe with a custom.qcow2 disk image. The ScreenConnect client was reported contacting the relay server vtps[.]us. Inside the VM, the operators manually built or compiled their toolkit rather than deploying a prebuilt set of tools. Tools explicitly reported include Impacket, KrbRelayX, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit, along with supporting Python, Rust, Ruby, and C libraries. Observed objectives and tradecraft include credential theft from Active Directory environments, Kerberos username enumeration with Kerbrute, Active Directory reconnaissance with BloodHound, downloading credentials from compromised environments, and staging payloads or data via FTP servers. Sophos also reported registry modification, disabling protections, and installation of vulnerable drivers to weaken defenses. Post-compromise activity varied across incidents, which Sophos noted may indicate that access was sometimes sold to other threat actors. No additional aliases or nation-state attribution were provided in the content.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
13 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Attack campaign leveraging CitrixBleed2 for initial access, followed by installation of a malicious ScreenConnect client for persistence and deployment of a QEMU VM to conduct credential theft against Active Directory. Attackers manually compile tooling inside the VM for reconnaissance, Kerberos enumeration, coercion, relay, and payload staging.
Campaign using CitrixBleed2 for initial access, then deploying ScreenConnect and QEMU-based virtual machines to conduct reconnaissance, credential theft, persistence, and long-term access operations.
An activity cluster exploiting CitrixBleed 2 to compromise NetScaler devices, deploy ScreenConnect and QEMU-based hidden Alpine Linux VMs, and perform credential harvesting, Active Directory reconnaissance, and exfiltration staging.
Intrusion campaign exploiting CitrixBleed2 to gain access, installing a malicious ScreenConnect client for persistence, and deploying a QEMU VM to manually build and run a credential theft and Active Directory enumeration toolkit.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.