Netscaler

ransomware 2026-04-18
Payouts King Runs Hidden QEMU VMs to Bypass EDR — STAC4713 and CitrixBleed 2 Campaigns
Sophos tracks two Payouts King campaigns running Alpine Linux inside QEMU on Windows hosts to tunnel reverse SSH and evade endpoint security. STAC3725 chains in CitrixBleed 2 (CVE-2025-5777) against NetScaler.
ransomware payouts-king qemu gold-encounter citrixbleed stac4713 stac3725 netscaler edr-evasion black-basta
vulnerabilities 2026-03-31 Critical
CVE-2026-3055: NetScaler SAML IDP Memory Overread Is Under Active Recon — Patch Before April 2
Attackers are actively probing Citrix NetScaler ADC/Gateway for CVE-2026-3055, a CVSS 9.3 memory overread that can leak session tokens from SAML IDP-configured appliances. CISA deadline is April 2.
citrix netscaler saml cve-2026-3055 memory-disclosure session-hijacking cisa-kev

Payouts King Runs Hidden QEMU VMs to Bypass EDR — STAC4713 and CitrixBleed 2 Campaigns