Overview:

Phish Tale of the Week
NetScaler ADC and Gateway Security Bulletin: CVE-2025-7775, CVE-2025-7776, CVE-2025-8424
PromptLock: The First AI-Powered Ransomware Emerges Using OpenAI’s gpt-oss:20b
How can Netizen help?

Phish Tale of the Week

Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as Coinbase. They’re sending us a text message, telling us that our Coinbase account was logged into, and we need to call support if it wasn’t us. It seems both urgent and genuine, so why shouldn’t we? Luckily, there’s plenty of reasons that point to this being a scam.

Here’s how we can tell not to call this number:

The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I do not have a Coinbase account. On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity.
The second warning signs in this email is the messaging. This message tries to create a sense of urgency in order to get you to take action by using language such as “If this was not you.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
The final warning sign for this email is the wording; in our case the smisher suggests we call a random number, something that Coinbase support would never do. All of these factors point to the above being a smishing text, and a very unsophisticated one at that.

General Recommendations:

A smishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages.

Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
Verify that the sender is actually from the company sending the message.
Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
Do not give out personal or company information over the internet.
Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many smishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any SMS requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this month’s Cybersecurity Brief:

NetScaler ADC and Gateway Security Bulletin: CVE-2025-7775, CVE-2025-7776, CVE-2025-8424

Citrix has released a security bulletin addressing three high-severity vulnerabilities affecting NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). The flaws are tracked as CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. One of these, CVE-2025-7775, is confirmed to be under active exploitation in the wild, making immediate patching critical for organizations relying on these products.

The following product versions are vulnerable:

NetScaler ADC and Gateway 14.1 before 14.1-47.48
NetScaler ADC and Gateway 13.1 before 13.1-59.22
NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.241-FIPS and NDcPP
NetScaler ADC 12.1-FIPS and NDcPP before 12.1-55.330-FIPS and NDcPP

Secure Private Access on-premises or hybrid deployments using NetScaler instances are also affected. Citrix-managed cloud services and Adaptive Authentication have already been patched by the vendor.

Vulnerability Details

CVE-2025-7775

This memory overflow flaw can lead to remote code execution or denial of service. It impacts systems configured as Gateways (VPN, ICA Proxy, CVPN, RDP Proxy), AAA vservers, or load balancers bound with IPv6 services. Content routing virtual servers with HDX are also at risk. The issue has a CVSS v4.0 base score of 9.2 and is being actively exploited.

CVE-2025-7776

A memory overflow vulnerability that results in unpredictable system behavior and denial of service. It is triggered when a Gateway VPN vserver has a PCoIP profile bound to it. The CVSS v4.0 base score is 8.8.

CVE-2025-8424

An improper access control issue impacting the management interface of NetScaler. Attackers who can reach the NSIP, cluster management IP, or SNIP with management access could exploit it. This vulnerability is rated with a CVSS v4.0 score of 8.7.

Citrix strongly urges all affected customers to upgrade their appliances to the following fixed versions or later:

NetScaler ADC and Gateway 14.1-47.48
NetScaler ADC and Gateway 13.1-59.22
NetScaler ADC 13.1-FIPS and NDcPP 13.1-37.241
NetScaler ADC 12.1-FIPS and NDcPP 12.1-55.330

No workarounds exist. Organizations running end-of-life versions such as 12.1 and 13.0 must migrate to supported releases that contain the fixes.

Exploitation of CVE-2025-7775 has already been confirmed. Security teams should immediately review their NetScaler configurations for signs of compromise, paying special attention to AAA vservers, VPN vservers, IPv6-bound load balancers, and PCoIP profiles.

The vulnerabilities were reported by Jimi Sebree of Horizon3.ai, Jonathan Hetzer of Schramm & Partner, and François Hämmerli, working with Citrix to protect customers.

To read more about this article, click here.

PromptLock: The First AI-Powered Ransomware Emerges Using OpenAI’s gpt-oss:20b

ESET researchers have identified a new proof-of-concept ransomware family, codenamed PromptLock, that leverages artificial intelligence to generate its malicious payloads in real time. This marks one of the first documented cases of ransomware built directly around a large language model (LLM), raising new concerns about AI’s role in accelerating cybercrime.

PromptLock is written in Golang and integrates with OpenAI’s recently released gpt-oss:20b model using the Ollama API. Instead of relying on precompiled binaries, the ransomware dynamically generates Lua scripts during execution, guided by hardcoded prompts. These scripts are capable of:

Enumerating the local filesystem
Inspecting and selecting target files
Exfiltrating chosen data
Encrypting files across platforms

Because the Lua payloads are created at runtime, the indicators of compromise (IoCs) may vary between infections. This variability makes detection more difficult and complicates the work of defenders.

The ransomware uses the SPECK 128-bit encryption algorithm and can operate on Windows, Linux, and macOS environments. Analysis of current samples suggests it could also be adapted for destructive capabilities, though data-wiping functionality does not yet appear to be active.

ESET assesses that PromptLock is currently a proof-of-concept rather than a fully weaponized strain deployed at scale. Artifacts linked to PromptLock were uploaded to VirusTotal from the United States on August 25, 2025. No active ransomware campaigns have been confirmed to date.

One key feature is that PromptLock does not require downloading the full LLM model, which could be many gigabytes in size. Instead, attackers can configure the malware to communicate with a remote server running the model via the Ollama API. This approach reduces the footprint on infected systems while maintaining the flexibility of AI-driven payload generation.

The appearance of PromptLock illustrates how AI can lower the barrier to entry for cybercriminals. By outsourcing payload generation to an LLM, attackers can:

Create variable, unpredictable payloads that evade signature-based defenses
Automate the customization of ransom notes and infection routines
Scale ransomware development even with limited technical expertise

This trend is part of a broader shift. Earlier this month, Anthropic confirmed that it banned two groups using its Claude model to develop ransomware variants with advanced encryption and anti-recovery mechanisms. Separately, researchers have warned of novel prompt injection techniques such as PROMISQROUTE, which abuses model-routing systems to downgrade protections and bypass AI safety filters.

Defenders should treat PromptLock as an early warning of where ransomware development may be heading. AI-powered malware offers attackers agility and adaptability that traditional static analysis will struggle to keep up with.

To read more about this article, click here.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.