CitrixBleed 2 Becomes a Ransomware Gateway: Huntress Uncovers a Highly Organized Attack Chain Leading to DragonForce + Video

Listen to this Post

Featured ImageIntroduction – A New Wave of Enterprise Attacks Is Raising the Stakes

Cybercriminals continue to refine their operations, transforming isolated exploits into industrial-scale attack campaigns capable of compromising organizations within hours. Security researchers are now witnessing a dangerous evolution where a single vulnerability is no longer just an entry point—it becomes the foundation of a complete cybercrime supply chain. The latest investigation by Huntress demonstrates exactly how this model works, revealing a sophisticated attack chain that consistently abuses the CitrixBleed 2 vulnerability to infiltrate enterprise networks before ultimately delivering DragonForce ransomware. The findings highlight how modern Initial Access Brokers (IABs) have become specialized businesses that focus solely on breaking into networks and selling that access to ransomware operators.

Huntress Discovers an Identical Attack Pattern Across Multiple Organizations

Threat hunters at Huntress analyzed several unrelated organizations compromised during the first half of 2026 and noticed something unusual. Every intrusion followed almost the exact same sequence of events.

The attackers used identical privilege escalation methods, created administrator accounts with matching naming conventions, deployed nearly identical remote management software, and repeatedly communicated with the same attacker-controlled infrastructure.

Such consistency is rarely seen in opportunistic cyberattacks.

Instead, Huntress believes this represents a mature Initial Access Broker operation that follows a standardized playbook. Rather than directly stealing data or deploying ransomware immediately, the attackers first establish reliable access inside corporate environments and later transfer that access to ransomware affiliates.

The final objective, in several incidents, became DragonForce ransomware deployment.

Understanding CitrixBleed 2: A Vulnerability That Bypasses MFA

The attack begins with CVE-2025-5777, widely known as CitrixBleed 2.

This vulnerability affects Citrix NetScaler ADC and Gateway appliances configured for authentication services.

Unlike many vulnerabilities that require credentials, CitrixBleed 2 works before authentication even occurs.

A specially crafted POST request containing an empty login variable forces the appliance to accidentally leak approximately 127 bytes of memory from adjacent processes.

Although this amount appears small, repeated requests allow attackers to collect valuable memory fragments, including authenticated session tokens.

Those tokens become the real prize.

Instead of guessing passwords or bypassing authentication directly, attackers simply steal an already authenticated session.

Why Multi-Factor Authentication Failed

One of the most alarming discoveries involved an employee who successfully authenticated through LDAP using multi-factor authentication.

Everything appeared completely legitimate.

Twenty-one minutes later, investigators observed the exact same authenticated session operating from a completely different attacker IP address.

No additional login occurred.

No failed authentication attempts appeared.

No MFA challenge was triggered.

The attackers simply reused the stolen session token.

Because the legitimate user had already completed MFA, the authentication process was effectively inherited by the attacker.

This demonstrates one of the biggest weaknesses of session hijacking attacks: MFA protects the login process but cannot protect stolen authenticated sessions.

Privilege Escalation: Turning User Access into Full System Control

After entering the environment, attackers consistently executed the same unsigned Local Privilege Escalation tool.

The malware abused

By creating carefully crafted registry symbolic links and forcing Windows Group Policy to refresh using gpupdate, the attackers manipulated SYSTEM-level processes into modifying protected registry locations.

The attack eventually abused the AppMgmt service to relaunch malicious binaries with SYSTEM privileges.

Once SYSTEM access was obtained, attackers created hidden administrator accounts using built-in Windows commands.

These accounts ensured long-term privileged access even if the original session expired.

Interestingly, Huntress observed that the tool automatically restored the registry after exploitation, removing evidence that incident responders normally rely upon during forensic investigations.

Human Operators Remain Behind the Keyboard

Although much of the attack chain was automated, investigators noticed several operational mistakes.

One attacker mistyped a net user command while creating administrator accounts.

These mistakes strongly suggest that human operators supervised the automated toolkit rather than relying entirely on autonomous malware.

This hybrid model has become increasingly common among sophisticated ransomware groups.

Automation performs repetitive work while experienced operators intervene whenever manual decision-making becomes necessary.

Persistence Achieved Through Legitimate Remote Management Software

Instead of installing obvious malware, attackers maintained access using trusted Remote Monitoring and Management (RMM) software.

The most common persistence mechanism involved rogue ScreenConnect clients communicating with attacker-controlled infrastructure.

Additional incidents involved Zoho Assist installations.

One earlier compromise also used NetBird alongside Atera, matching details previously observed by Sophos during separate investigations.

Using legitimate administrative software makes malicious activity far more difficult to detect because these applications are frequently approved inside enterprise environments.

Traditional antivirus solutions often ignore them entirely.

The Final Stage: DragonForce Ransomware Deployment

In the most advanced intrusion Huntress investigated, attackers expanded their access across the network using several well-known offensive security tools.

These included:

PsExec for remote execution

Impacket-based utilities

Mimikatz for credential theft

Administrative scripts for lateral movement

After collecting privileged credentials, DragonForce ransomware was finally deployed.

Fortunately, rapid incident response contained encryption to a single compromised host before widespread business disruption occurred.

The incident nevertheless illustrates how quickly an initial vulnerability can evolve into a full ransomware event.

Attribution Remains Uncertain Despite Strong Technical Similarities

Although the attack chain strongly resembles activity associated with DragonForce operations, Huntress intentionally stopped short of assigning direct attribution.

Initial Access Brokers frequently sell compromised environments to multiple ransomware organizations.

This creates overlapping tactics that blur traditional attribution methods.

Instead of identifying DragonForce as the original attacker, Huntress believes a highly successful Initial Access Broker is likely responsible for the early stages of compromise.

DragonForce may simply represent one customer purchasing that access.

Recommendations for Organizations Running Citrix NetScaler

Organizations using NetScaler appliances should immediately apply security updates addressing CVE-2025-5777.

Patching alone is not sufficient.

Any previously stolen session tokens may remain valid even after systems are updated.

Security teams should terminate all active sessions, retain NetScaler logs within SIEM platforms before appliance logs rotate, review administrator accounts for unauthorized additions, and investigate unexpected installations of ScreenConnect, Zoho Assist, NetBird, or other remote administration software.

Continuous monitoring should also include detection of unusual registry modifications, privilege escalation attempts, and suspicious Group Policy behavior.

Deep Analysis

Command Breakdown of the Attack Chain

Phase 1 – Initial Access

Exploit CVE-2025-5777 (CitrixBleed 2)

Leak authenticated session tokens

Hijack active authenticated sessions

Phase 2 – Internal Access

Reuse stolen session

Avoid MFA completely

Establish foothold inside NetScaler environment

Phase 3 – Privilege Escalation

Deploy unsigned LPE executable

Abuse REG_LINK symbolic registry values

Execute gpupdate

Launch AppMgmt service

Obtain SYSTEM privileges

Phase 4 – Persistence

Execute net user

Execute net localgroup Administrators

Install rogue ScreenConnect

Deploy Zoho Assist

Configure attacker-controlled relay servers

Phase 5 – Lateral Movement

Execute PsExec

Use Impacket toolkit

Dump credentials with Mimikatz

Expand administrative control

Phase 6 – Impact

Deploy DragonForce ransomware

Encrypt targeted systems

Maintain remote access for future operations

This structured methodology demonstrates that modern ransomware attacks increasingly resemble enterprise IT operations. Every phase is documented, repeatable, and optimized for efficiency. The consistency across victims indicates that attackers are no longer improvising; they are following standardized operational procedures much like legitimate businesses. The use of Initial Access Brokers separates intrusion from ransomware deployment, creating a criminal ecosystem where different groups specialize in different stages of the attack. Session hijacking also exposes an uncomfortable reality: organizations relying solely on MFA cannot assume complete protection if session management is weak. Equally concerning is the abuse of legitimate remote management tools, which blends malicious behavior into normal administrative traffic. Defensive strategies must therefore focus on behavior, identity monitoring, session security, and rapid incident response rather than depending exclusively on endpoint detection.

What Undercode Say:

The Huntress investigation highlights one of the clearest examples of cybercrime specialization seen in recent years. Rather than one group performing every stage of an attack, the ecosystem now resembles a supply chain where Initial Access Brokers, malware developers, credential thieves, and ransomware operators each play a dedicated role.

CitrixBleed 2 is particularly dangerous because it targets trust rather than passwords. Once an authenticated session token is stolen, even perfectly implemented multi-factor authentication becomes ineffective. This changes how defenders should think about identity security. Session protection, continuous authentication, token monitoring, and rapid session invalidation are becoming just as important as password policies.

Another significant observation is the professional level of operational consistency. The same registry abuse, identical account creation patterns, recurring attacker infrastructure, and standardized persistence techniques suggest attackers are using documented internal procedures instead of improvisation. This level of maturity mirrors legitimate IT operations.

The widespread abuse of ScreenConnect and other legitimate remote administration platforms reinforces a long-term cybersecurity trend. Attackers increasingly prefer “living off the land,” using trusted software to remain invisible inside enterprise environments. Security teams should treat unexpected remote management software with the same urgency as traditional malware.

The incident also demonstrates why organizations must invest in centralized logging and long-term retention. Appliances like NetScaler often rotate logs quickly, potentially erasing crucial forensic evidence before investigators can examine it.

Finally, organizations should recognize that ransomware deployment is often the final step—not the beginning—of a compromise. By the time encryption starts, attackers may have already spent days or weeks harvesting credentials, expanding privileges, and establishing persistence. Detecting the early stages of the intrusion remains the most effective way to prevent catastrophic business disruption.

✅ Confirmed: Huntress publicly reported multiple highly similar attack chains exploiting CVE-2025-5777 (CitrixBleed 2), indicating a coordinated campaign rather than isolated incidents.

✅ Confirmed: Session hijacking through stolen authentication tokens can bypass MFA because the authentication process has already been completed by the legitimate user.

✅ Likely Accurate: While DragonForce ransomware appeared in the final stage of one investigated intrusion, Huntress cautiously attributes the initial compromises to a professional Initial Access Broker instead of definitively linking every intrusion directly to DragonForce operators.

Prediction

(+1) Organizations will increasingly deploy continuous session validation, identity-aware proxies, and automated session revocation technologies to defend against token hijacking attacks beyond traditional MFA.

(-1) Initial Access Broker operations will continue to expand throughout 2026 and beyond, supplying ransomware groups with pre-compromised enterprise environments, resulting in faster and more scalable ransomware campaigns against organizations that delay patching critical internet-facing infrastructure.

▶️ Related Video (76% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: www.itsecurityguru.org
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube