Unpatched Citrix NetScaler systems exposed to the internet are being targeted by unknown threat actors in what's suspected to be a ransomware attack.

Cybersecurity company Sophos is tracking the activity cluster under the moniker STAC4663.

Attack chains involve the exploitation of CVE-2023-3519, a critical code injection vulnerability impacting NetScaler ADC and Gateway servers that could facilitate unauthenticated remote code execution.

In one intrusion detected in mid-August 2023, the security flaw is said to have been used to conduct a domain-wide attack, including injecting payloads into legitimate executables such as the Windows Update Agent (wuauclt.exe) and the Windows Management Instrumentation Provider Service (wmiprvse.exe). An analysis of the payload is underway.


Other notable aspects include the distribution of obfuscated PowerShell scripts, PHP web shells, and the use of an Estonian service called BlueVPS for malware staging.

Sophos said the modus operandi aligns "closely" with that of an attack campaign that NCC Group Fox-IT disclosed earlier this month in which nearly 2,000 Citrix NetScaler systems were breached.

The attacks are also said to be linked to an earlier incident that used the same techniques minus the Citrix vulnerability. Indicators of compromise (IoCs) associated with the campaign can be accessed here.

"All this leads us to say it's probable that this is activity from a known threat actor specializing in ransomware attacks," the company said in a series of posts on X.

Users of Citrix NetScaler ADC and Gateway appliances are highly recommended to apply the patches to mitigate potential threats.


The development comes as ransomware is on track to scale new highs in 2023, as threat actors are rapidly escalating their attacks by harnessing security flaws in widely used software to breach target environments.

This has been accompanied by a surge in cybercrime groups spawning personalized ransomware strains (e.g., DoDo, Proton, and Trash Panda) as well as moving more quickly to compromise companies once they have gained initial access, an indication that the attackers are getting better at honing their process of stealing and encrypting data.

While most ransomware gangs continue to pursue double or triple extortion schemes, some groups have been observed pivoting from encryption to a simpler theft-and-extortion strategy, which is referred to as an encryptionless extortion attack.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.