{ "id": "c49184c6-638a-414b-8391-28eb7fb8b817", "created_at": "2026-04-06T00:13:12.235949Z", "updated_at": "2026-04-10T03:29:25.659572Z", "deleted_at": null, "sha1_hash": "98c1c5d057bd609a0bba1fc1061bc3c199a0ec2c", "title": "'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35801, "plain_text": "'Friendly' hackers are seemingly fixing the Citrix server hole – and\r\nleaving a nasty present behind\r\nBy Shaun Nichols\r\nPublished: 2020-01-17 · Archived: 2026-04-05 12:51:55 UTC\r\nHackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching\r\nthe servers to keep others out.\r\nResearchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation\r\ncode for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill\r\nany existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts\r\nby mitigation.\r\nObviously, this is less of a noble gesture and more of a way to keep others out of the pwned boxes.\r\n\"Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys\r\nNOTROBIN to block subsequent exploitation attempts,\" the FireEye team explained.\r\n\"But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase.\r\nFireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign.\"\r\nThat the attackers would think to mitigate the bug is hardly surprising given the number of hackers believed to be\r\nscanning for and targeting the bug. It would make sense to take a compromised server off the map, so to speak, for\r\nother groups trying to exploit the so-called 'Shitrix' flaw.\r\nFireEye says it has yet to work out all the details of the attack, but it is believed that most of the exploit is done\r\nthrough a single script. That script, delivered via an HTTP POST request, issues the commands to kill any\r\ncryptocurrency scripts running on the machine, creates a directory to stage the next phase of the attack, then\r\ndownloads and runs the secondary NOTROBIN payload.\r\n\"Cryptocurrency miners are generally easy to identify—just look for the process utilizing nearly 100 per cent of\r\nthe CPU,\" said FireEye. \"By uninstalling these unwanted utilities, the actor may hope that administrators overlook\r\nan obvious compromise of their NetScaler devices.\"\r\nOnce the secondary payload has been downloaded and launched, it installs the backdoor for later access by the\r\nattackers, then proceeds to launch a pair of scripts that both search out and delete known malware on the machine\r\nand monitor and block any incoming attempts to exploit the vulnerability.\r\n\"The mitigation works by deleting staged exploit code found within NetScaler templates before it can be\r\ninvoked,\" FireEye's team explained. \"However, when the actor provides the hardcoded key during subsequent\r\nexploitation, NOTROBIN does not remove the payload. This lets the actor regain access to the vulnerable device\r\nat a later time.\"\r\nhttps://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/\r\nPage 1 of 2\n\nWhile most vulnerable Citrix devices can be protected from attacks by applying the vendor's mitigations, some\r\nwill need to update their firmware in order for the protections to actually work. Citrix has promised a complete\r\npatch for the flaw by January 20. ®\r\nSource: https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/\r\nhttps://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/" ], "report_names": [ "hackers_patch_citrix_vulnerability" ], "threat_actors": [ { "id": "e16a6567-2b9a-4419-960b-1e03fccc8812", "created_at": "2023-01-06T13:46:39.128684Z", "updated_at": "2026-04-10T02:00:03.224215Z", "deleted_at": null, "main_name": "NOTROBIN", "aliases": [], "source_name": "MISPGALAXY:NOTROBIN", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434392, "ts_updated_at": 1775791765, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/98c1c5d057bd609a0bba1fc1061bc3c199a0ec2c.pdf", "text": "https://archive.orkl.eu/98c1c5d057bd609a0bba1fc1061bc3c199a0ec2c.txt", "img": "https://archive.orkl.eu/98c1c5d057bd609a0bba1fc1061bc3c199a0ec2c.jpg" } }