Skip to main content
Emerging ThreatsMalware & Ransomware

Citrix Bleed 2 Exploit Fuels Ransomware Attacks

Rows of computer servers and storage equipment with warning lights on front panels in a brightly-lit data center.

More than 1.4 million domains have been targeted as part of a large-scale operation that exploited 27 CVEs in WordPress plugins to deploy web shells, the weekly recap reported.

Progress orders ShareFile Storage Zone Controllers offline after “credible external security threat”

Progress has urged customers to shut down Windows servers running Storage Zone Controllers, citing a "credible external security threat." The company temporarily disabled access to affected accounts "out of an abundance of caution" while working with internal and external security experts, and it said there are "no indications of unauthorized access to any ShareFile accounts or data." The exact nature of the threat has not been disclosed.

SHELLSTORM: web shells, SNOWLIGHT, and VShell across many countries

The operation codenamed SHELLSTORM used 27 WordPress plugin CVEs to deploy web shells on compromised servers. According to the recap, more than 1.4 million domains were targeted, with the largest number of infections reported in Taiwan, the U.S., Germany, France, and the U.K. The web-shell access is being used to deliver the SNOWLIGHT dropper and the VShell backdoor. The activity is assessed to be the work of a Chinese or Chinese‑speaking threat actor.

Citrix Bleed 2 exploitation leads to DragonForce ransomware in repeatable seven-step playbook

Huntress reported intrusions exploiting Citrix Bleed 2 (CVE-2025-5777) that followed a consistent post-compromise pattern: escalate to SYSTEM through a registry-symlink/AppMgmt privilege-escalation trick, create rogue local admin accounts, and establish persistence using legitimate remote‑access tools such as ScreenConnect and Zoho Assist. In the most advanced observed case, the operation ended with DragonForce ransomware deployment. Huntress observed roughly half a dozen intrusions across unrelated organizations in the first half of 2026 using the same seven-step chain, which the company described as a highly standardized operator playbook. Huntress' guidance: patch exposed NetScaler appliances, retain and review logs, terminate outstanding sessions, and audit for suspicious accounts and remote-management tooling.

Supply-chain and AI-assisted tricks: HalluSquatting, poisoned packages, and fake installers

The recap highlights several supply-chain and AI-related attack techniques converging on developer workflows and automated agents. Jscrambler's npm package was compromised to publish multiple versions containing a Rust-based information stealer targeting Windows, macOS, and Linux; Jscrambler attributed the incident to a compromised npm publishing credential and noted overlap with IronWorm activity first documented by JFrog.

Researchers described HalluSquatting — a blend of slopsquatting and phantom squatting — in which an AI agent invents legitimate-sounding resource names, an attacker registers them first, and the assistant later executes attacker-controlled code. The technique pairs hallucinations with prompt injections to trick coding assistants into running malicious instructions.

The weekly recap also recorded a range of malicious installers and packages in the wild: a fake Kuailian VPN MSI dropping GoodPersonRAT; a malicious Braintree.Net NuGet package impersonating a legitimate SDK that deploys a multi-stage .NET implant to intercept live payment card data and exfiltrate merchant API keys; and a malicious ZIP containing a Windows shortcut that starts a NodeJS backdoor campaign. Separately, Darktrace described compromises of AI gateways such as LiteLLM Proxy connected to Amazon Bedrock services that resulted in unauthorized cryptomining, noting the compromised asset "sat at the intersection of cloud infrastructure, identity, and AI services."

What this means for security teams, enterprise IT, and developers

  • Security teams: Prioritize the list of trending CVEs and urgent patches cited in the recap, retain and review logs for signs of the standardized Citrix Bleed 2 playbook, and audit outstanding sessions and remote-management tooling for persistence traces.
  • Enterprise IT and procurement: Follow Progress' direction to stop Storage Zone Controller Windows servers where advised, scan for internet‑exposed services (especially NetScaler and LiteLLM Proxy instances), and shore up access controls to reduce utility for post‑compromise lateral movement.
  • Developers and build teams: Harden publishing credentials and package pipelines, monitor for supply‑chain tampering, and treat AI agents as identities — enforce least‑privilege access, use short‑lived secrets, and establish kill switches for shadow AI, as recommended in the recap's webinar summaries.

The clearing pattern in this week's recap is stark and simple: patches exist, exploits arrive faster, and routine oversights — exposed services, stale sessions, compromised publishing credentials, and unattended AI agents — are the doors attackers walk through. As the recap puts it, "Every shortcut we took to move faster is now a door someone else can walk through." Patch the urgent stuff first, close the sessions you forgot were open, and check what’s still facing the internet.

Original story