Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
ransomware-group-operationperimeter-device-exposureidentity-authentication-vulnerabilitythreat-infrastructure-tracking

CitrixBleed Flaws Exposed NetScaler Sessions to LockBit-Linked Intrusions

Updated 2d agoFirst seen Dec 9, 20253 sources

Researchers detailed how ransomware operators linked to LockBit exploited Citrix NetScaler ADC and Gateway appliances through the original CitrixBleed flaw, CVE-2023-4966, using stolen session data to support follow-on access and affiliate infrastructure operations. An OSINT analysis built from joint government and Boeing-published indicators identified additional suspected LockBit infrastructure spanning command-and-control, remote management, FTP, RDP, and OpenVPN services, with recurring hosting patterns and overlaps with tooling and infrastructure previously associated with Akira, Avaddon, Cerber, BumbleBee, Raccoon Stealer, RecordBreaker, SolarMarker, 8Base, and ShadowSyndicate.

A later root-cause analysis of CitrixBleed 2, CVE-2025-5777, showed that a malformed POST request to /p/u/doAuthentication.do can trigger an out-of-bounds memory disclosure on vulnerable NetScaler devices, leaking up to 0x7F bytes per request in an authentication failure response. Researchers warned that exposed memory may include credentials, session cookies, and private keys, making the bug a low-noise path to unauthenticated access similar in impact to the earlier CitrixBleed incidents; Citrix issued fixes and defenders were urged to patch immediately, invalidate sessions, reset credentials, rotate certificates and secrets where needed, and review telemetry for LockBit-related indicators, while broad community IOC feeds for suspected LockBit 5.0 activity have also circulated with explicit false-positive caveats.

Share:
CitrixBleed Flaws Exposed NetScaler Sessions to LockBit-Linked Intrusions
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

5 events from the most recent confirmed update back to the earliest known activity.

5 EVENTS
Dec 9, 20257mo ago

LockBit 5.0 Sigma IOC feed publication continues on Medium

The Medium post for the LockBit 5.0 detection content was published on December 9, 2025, reflecting the release window for the experimental Sigma IOC feed. It documented broad detection logic for domains, IPs, hashes, URL patterns, hostnames, and command-line behaviors tied to suspected LockBit 5.0 activity.

LockBit 5.0 Detect - Sigma Rule - iOC Feed | by Onur OKTAY | Medium
Dec 8, 20257mo ago

Experimental LockBit 5.0 Sigma IOC feed is published

Onur OKTAY published an experimental Sigma rule and IOC feed for suspected LockBit 5.0 activity, aggregating known and inferred indicators across network and endpoint telemetry. The feed explicitly warned that several indicators were inferential and carried high false-positive risk.

LockBit 5.0 Detect - Sigma Rule - iOC Feed | by Onur OKTAY | Medium
Jul 21, 20251y ago

Knownsec publishes root cause analysis of CitrixBleed 2

Knownsec 404 Team published a technical root cause analysis of CVE-2025-5777, explaining the malformed POST parsing bug in /p/u/doAuthentication.do and how it can leak memory in authentication failure responses. The article also noted that public proof-of-concept code already supported exploitation and urged immediate defensive action.

Root Cause Analysis of the CitrixBleed 2 (CVE-2025-5777) Vulnerability | by Knownsec 404 team | Medium
Jun 17, 20251y ago

Citrix releases fixes for CVE-2025-5777

Citrix released fixes for CVE-2025-5777, a high-severity memory disclosure vulnerability affecting NetScaler ADC and Gateway. The flaw, later dubbed CitrixBleed 2, could expose sensitive memory contents to unauthenticated attackers.

Root Cause Analysis of the CitrixBleed 2 (CVE-2025-5777) Vulnerability | by Knownsec 404 team | Medium
Nov 28, 20233y ago

OSINT Team publishes LockBit 3.0 infrastructure analysis

OSINT Team published an infrastructure analysis linking LockBit 3.0 affiliates exploiting CVE-2023-4966 to additional command-and-control, remote management, FTP, RDP, and OpenVPN infrastructure. The research expanded on advisory and Boeing-linked indicators and identified overlaps with other ransomware and malware ecosystems.

Infrastructure Analysis: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability | by Joshuapenny | OSINT Team
LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

52 LINKEDOpen in app
Affected products
6 linked
Netscaler GatewayNetscaler AdcTeamviewerAnydeskAteraOpenvpn
Organizations
21 linked
Citrix SystemsOpenSSL Software FoundationRapid7KnownsecBridewellNameCheapMicrosoft CorporationWatchTowrGroup-IBTeamviewerBoeingChang Way Technologies Co. LimitedM247Flyservers S.A.NForce Entertainment B.V.AteraXHOST Internet Solutions LPSelectelVDSina HostingSIERRA LLCARTNET
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.

CitrixBleed Flaws Exposed NetScaler Sessions to LockBit-Linked Intrusions | Mallory