Attackers exploited CitrixBleed 2 (CVE-2025-5777) in Citrix NetScaler ADC and Gateway appliances to steal session data from memory and hijack valid user sessions, enabling repeated compromises across multiple organizations. Huntress reported that the flaw, a pre-authentication memory over-read, was used as the likely initial access vector in a series of intrusions, allowing attackers to bypass the practical protections of MFA once a legitimate session token had been captured.
After gaining access, the intruders followed a consistent post-compromise playbook on Windows systems: escalating privileges with a portable local privilege escalation tool abusing REG_LINK and AppMgmt, creating fake administrator accounts, and deploying remote access software including ScreenConnect and Zoho Assist. In at least one case, the activity culminated in DragonForce ransomware, and Huntress assessed the campaign was more likely tied to a successful initial access broker than a single ransomware operator, while urging defenders to patch vulnerable NetScaler systems, terminate active sessions, preserve logs, and hunt for suspicious accounts, hostnames, and tooling.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
On 2026-07-09, Huntress published a report detailing a consistent post-compromise playbook across unrelated victims, including session hijacking, Windows privilege escalation, fake administrator account creation, and installation of remote access tools such as ScreenConnect or Zoho Assist. The report urged organizations to patch NetScaler, retain logs, terminate outstanding sessions, and hunt for specific accounts, hostnames, and tooling.
In at least one of the intrusions Huntress investigated, the attackers progressed from NetScaler compromise to deploying DragonForce ransomware. Huntress assessed the activity was more likely tied to a common initial access broker used by multiple ransomware actors than to a single DragonForce affiliate.
Huntress described a cluster of intrusions in the first half of 2026 in which attackers repeatedly compromised Citrix NetScaler ADC and Gateway environments. The company assessed with high confidence that the initial access vector was CVE-2025-5777, also known as CitrixBleed 2.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.