Security researchers discovered sophisticated backdoors targeting Citrix Netscaler systems across western governments and legal institutions. The attacks exploited a zero-day vulnerability in getAuthenticationRequirements.do to deploy persistent PHP webshells that survive patching. The campaign, likely attributed to Volt Typhoon, used complex attack chains involving Python scripts, AES-encrypted commands, and privilege escalation techniques. Citrix failed to publicly disclose technical details, providing remediation scripts only under NDAs, leaving organizations vulnerable to ongoing espionage activities.
Table of contents
Initial accessGet Kevin Beaumont’s stories in your inboxOther attacker activityBut more attacker activity!What to do with this informationSort: