Security firm Huntress says a criminal access broker spent the first half of 2026 breaking into companies through a known Citrix flaw and, in at least one case, using that foothold to unleash DragonForce ransomware. The intrusions were so alike across unrelated victims that investigators could predict the attacker's next move before pulling the logs.
What happened
Huntress worked roughly half a dozen incidents at different organizations that all followed the same seven-step script: exploit an internet-facing Citrix NetScaler gateway, hijack a live user session, quietly escalate to full administrator rights, create a fake Citrix admin account, install off-the-shelf remote-access software, and, when the operator got what they wanted, deploy ransomware. Huntress assesses with high confidence that a single initial access broker is behind the pattern, selling or using that access to plant DragonForce and other ransomware. Sophos tracks the same cluster as STAC3725.
The way in: CitrixBleed 2
The entry point is CVE-2025-5777, nicknamed CitrixBleed 2, a memory-disclosure bug in NetScaler ADC and Gateway that can be triggered without logging in. By flooding the login endpoint with malformed requests, an attacker leaks small chunks of the appliance's memory, roughly 127 bytes at a time, and sifts them for a valid session token belonging to someone currently logged in. In the logs it looks like a brute-force attack, thousands of failed logins full of garbage usernames, but that garbage is actually leaked memory. In one case Huntress reconstructed the whole chain: an employee logged in normally with multi-factor authentication at 13:07 UTC, and 21 minutes later the same session was being driven from the attacker's IP, with no successful login of its own. The stolen token made MFA irrelevant because it was already satisfied. This is the same class of flaw we covered when the NetScaler memory-overread bug first surfaced.
Escalation and persistence
To go from an ordinary user to SYSTEM, the operator brought a portable privilege-escalation tool that abuses a Windows registry symbolic-link trick and the dormant Application Management service, then created a backdoor administrator with two fixed commands. For hands-on access it leaned on legitimate remote-management software, most often a rogue ScreenConnect client, with Zoho Assist, Netbird and Atera seen as backups, the now-standard living off trusted software approach that frustrates simple allow-listing. Credential theft with Mimikatz and Impacket followed, and in the most advanced case the crew ran a DragonForce binary that began encrypting the network before Huntress contained it to a single host. DragonForce has surfaced before in ransomware partnerships with the Scattered Spider crew.
What you should do
Patch NetScaler ADC and Gateway against CVE-2025-5777 immediately and, crucially, terminate active sessions after patching, since a token stolen before the fix stays valid. Hunt for sessions with no matching login, unexpected local administrator accounts, and unsanctioned remote-management tools. A defanged indicator of the abuse infrastructure is the ScreenConnect relay relay[.]dltsolutions[.]top. Huntress warns that victims who patched but skipped the rest of the cleanup were simply re-compromised.
See the original Huntress report for the full kill chain.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.