Initial access broker linked to weaponization of CitrixBleed2 flaw
Initial access broker linked to weaponization of CitrixBleed2 flaw
https://www.cybersecuritydive.com/news/initial-access-broker-citrixbleed2-flaw-DragonForce/824961/
Publish Date: 2026-07-10 12:25:00
Source Domain: www.cybersecuritydive.com
An initial access broker weaponized a critical vulnerability known as CitrixBleed 2 in a series of attacks during the first half of 2026 across multiple organizations, according to a report released Thursday by the security company Huntress.
After exploiting the vulnerability, the hackers escalated privileges, created rogue local administrator accounts and established persistence with legitimate remote access tools, including ScreenConnect and Zoho Assist.
About a half-dozen cases between January and June followed a consistent playbook. In the most advanced case, the attackers deployed DragonForce ransomware, Huntress researchers said.
“In the incident that progressed to ransomware, the speed the adversary operated with was their singular advantage — ransomware was deployed almost immediately following the execution of the local privilege escalation script — leaving little time for defenders to respond,” Michael Tigges, principal tactical response analyst at Huntress, told Cybersecurity Dive.
The cases all involved very similar attack patterns. Only one of the cases led to deployment of DragonForce ransomware.
Huntress is urging organizations using Citrix NetScaler to patch their systems and apply other additional measures.
The vulnerability is related to insufficient input validation in NetScaler ADC and NetScaler Gateway that leads to memory overread when NetScaler is configured as Gateway or virtual server, according to Citrix. The flaw was exploited in a number of attacks in 2025.
Citrix released guidance on the vulnerability last year.
Related campaign
In April, researchers at Sophos spotted a similar pattern of activity, tracking the cluster under the name STAC3725. Those attacks involved the abuse of QEMU, an open-source machine emulator.
The flaw is similar to the same 2023 vulnerability known as CitrixBleed that led to a massive wave of attacks against major…