CitrixBleed Flaws Exposed NetScaler Sessions to LockBit-Linked Intrusions
Researchers detailed how ransomware operators linked to LockBit exploited Citrix NetScaler ADC and Gateway appliances through the original CitrixBleed flaw, CVE-2023-4966, using stolen session data to support follow-on access and affiliate infrastructure operations. An OSINT analysis built from joint government and Boeing-published indicators identified additional suspected LockBit infrastructure spanning command-and-control, remote management, FTP, RDP, and OpenVPN services, with recurring hosting patterns and overlaps with tooling and infrastructure previously associated with Akira, Avaddon, Cerber, BumbleBee, Raccoon Stealer, RecordBreaker, SolarMarker, 8Base, and ShadowSyndicate.
A later root-cause analysis of CitrixBleed 2, CVE-2025-5777, showed that a malformed POST request to /p/u/doAuthentication.do can trigger an out-of-bounds memory disclosure on vulnerable NetScaler devices, leaking up to 0x7F bytes per request in an authentication failure response. Researchers warned that exposed memory may include credentials, session cookies, and private keys, making the bug a low-noise path to unauthenticated access similar in impact to the earlier CitrixBleed incidents; Citrix issued fixes and defenders were urged to patch immediately, invalidate sessions, reset credentials, rotate certificates and secrets where needed, and review telemetry for LockBit-related indicators, while broad community IOC feeds for suspected LockBit 5.0 activity have also circulated with explicit false-positive caveats.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
LockBit 5.0 Sigma IOC feed publication continues on Medium
The Medium post for the LockBit 5.0 detection content was published on December 9, 2025, reflecting the release window for the experimental Sigma IOC feed. It documented broad detection logic for domains, IPs, hashes, URL patterns, hostnames, and command-line behaviors tied to suspected LockBit 5.0 activity.
Experimental LockBit 5.0 Sigma IOC feed is published
Onur OKTAY published an experimental Sigma rule and IOC feed for suspected LockBit 5.0 activity, aggregating known and inferred indicators across network and endpoint telemetry. The feed explicitly warned that several indicators were inferential and carried high false-positive risk.
Knownsec publishes root cause analysis of CitrixBleed 2
Knownsec 404 Team published a technical root cause analysis of CVE-2025-5777, explaining the malformed POST parsing bug in /p/u/doAuthentication.do and how it can leak memory in authentication failure responses. The article also noted that public proof-of-concept code already supported exploitation and urged immediate defensive action.
Citrix releases fixes for CVE-2025-5777
Citrix released fixes for CVE-2025-5777, a high-severity memory disclosure vulnerability affecting NetScaler ADC and Gateway. The flaw, later dubbed CitrixBleed 2, could expose sensitive memory contents to unauthenticated attackers.
OSINT Team publishes LockBit 3.0 infrastructure analysis
OSINT Team published an infrastructure analysis linking LockBit 3.0 affiliates exploiting CVE-2023-4966 to additional command-and-control, remote management, FTP, RDP, and OpenVPN infrastructure. The research expanded on advisory and Boeing-linked indicators and identified overlaps with other ransomware and malware ecosystems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
LockBit 5.0 Detect - Sigma Rule - iOC Feed | by Onur OKTAY | Medium
medium.com
Open sourceRoot Cause Analysis of the CitrixBleed 2 (CVE-2025-5777) Vulnerability | by Knownsec 404 team | Medium
medium.com
Open sourceInfrastructure Analysis: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability | by Joshuapenny | OSINT Team
osintteam.blog
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


