eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
CVE-2025-5777: Citrix Bleed 2 Opens Old Wounds
Bottom Line: Recent reports suggest that the vulnerability CVE-2025-5777, found within NetScaler products and dubbed Citrix Bleed 2, is being actively exploited in the wild. Exploitation allows threat actors to steal credentials, session tokens and bypass Multi-Factor Authentication (MFA).
On June 26th, 2025, ReliaQuest reported that attackers are actively exploiting the recently disclosed Citrix vulnerability, CVE-2025-5777, also known as “Citrix Bleed 2,” to gain initial access to networks. Citrix disclosed CVE-2025-5777 (CVSS score: 9.3) on June 17, 2025. This vulnerability arises from insufficient input validation, leading to memory over-read in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Exploitation of this flaw may result in the leak of sensitive data, facilitating further malicious activities. At the time of disclosure, no exploitation of this flaw was reported in the wild. However, ReliaQuest believes, with moderate confidence, that attackers are using CVE-2025-5777 to establish initial access.
The report highlights indicators of exploitation, including hijacked Citrix web sessions from NetScaler. These sessions grant access without the user’s knowledge and effectively bypass MFA. These sessions are being reused across both expected and suspicious IP addresses, raising red flags about potential unauthorized access. Additionally, LDAP queries have shown signs of reconnaissance activities within Active Directory. Instances of the tool “ADExplorer64.exe” have been observed in the environment, likely used to query domain groups and permissions. Furthermore, Citrix sessions have been traced back to data center IPs, such as DataCamp, pointing to the potential use of consumer VPN services.
eSentire Threat Intelligence Analysis:
CVE-2025-5777 requires that the NetScaler instance be configured as either a Gateway (which includes VPN virtual servers, ICA Proxy, CVPN, and RDP Proxy) or as an AAA virtual server. Cybersecurity researcher Kevin Beaumont has noted that this vulnerability resembles the notorious 'CitrixBleed' vulnerability (CVE-2023-4966), which was widely exploited by threat actors, including those involved in ransomware attacks and state-sponsored activities. Due to the exploitation attempts of CVE-2025-5777 and its ability to hijack legitimate user sessions, along with the rapid weaponization of Citrix vulnerabilities by threat actors, it is essential for organizations to promptly apply all recommended patches and mitigations to safeguard their environments.
To mitigate these risks, users are advised to install the following versions of NetScaler ADC and Gateway: 14.1-43.56, 13.1-58.32 and later, 13.1-NDcPP 13.1-37.235 (FIPS), and 12.1-55.328 (FIPS). Additionally, after patches are deployed, Citrix recommends that companies run the “kill icaconnection -all” and “kill pcoipConnection -all” commands, to end active sessions. It is crucial to note that versions 12.1 and 13.0 of NetScaler ADC and NetScaler Gateway have reached their End-of-Life (EOL). Customers are strongly encouraged to upgrade to supported versions as soon as possible.
In response to the escalating sophistication of threat actor tactics, eSentire Threat Response Unit (TRU) released an advisory on a similar topic titled "Actively Exploited Citrix Vulnerability CVE-2025-6543" on June 26th, 2025. It is recommended that organizations should adopt a multi-layered approach to defense. Beyond relying solely on EDR solutions, organizations should implement robust network monitoring tools to detect anomalous behavior, establish comprehensive logging mechanisms to track and analyze system activities, and conduct regular security assessments to proactively identify and address potential vulnerabilities. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2025-5777. The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities.
Jasper Sleet: North Korean Remote IT Workers
Bottom Line: Microsoft Threat Intelligence reported that the North Korean remote IT worker campaign, Jasper Sleet, evolved to use AI-enhanced deepfakes and voice modification, now broadening its targets to any organizations offering technology-related roles, for espionage and financial gain.
On June 30th, 2025, Microsoft Threat Intelligence released a report on a North Korean Remote IT Worker campaign, that is tracked under the name Jasper Sleet (formerly Storm-0287). Remote IT Worker campaigns have been ongoing and involve North Korean citizens posing as legitimate job seekers from various countries. If the threat actor is hired for a remote position, they generate revenue for the Democratic People’s Republic of Korea (DPRK), steal sensitive data, and in some cases, carry out data extortion. Microsoft states that North Korea has successfully “deployed thousands of remote IT workers to assume jobs in software and web development”.
Since 2024, Jasper Sleet tactics have evolved to include the use of AI-enhanced tools, to deceive hiring managers. According to Microsoft, North Korean IT workers now use AI tools to forge professional-looking resumes, enhance photos, and manipulate voice to pass identity verification checks. In some cases, stolen identities are purchased, which match the location of the targeted organization, and used to facilitate the attack. Writing facilitators have also been employed to help threat actors pass the verification process and complete remote work job requirements.
When hired, threat actors will direct company laptops to be sent to an accomplice, who can either run a laptop farm providing an Internet connection matching the geo-location of the role or forwarding the device internationally. For devices within laptop farms, accomplices will install software to enable the threat actor to connect remotely, and may also set up a Keyboard, Video, Mouse (KVM) device, granting remote control access.
Jasper Sleet had previously impacted U.S.-based technology, manufacturing, and transportation companies, but attacks have now broadened, affecting any organizations that offer “technology-related” roles, regardless of location or industry.
eSentire Threat Intelligence Analysis:
Jasper Sleet represents a dual threat, involving both financial goals and espionage. North Korean Remote IT Worker campaigns have drawn significant attention due to their complexity, the scale of activity, and the potential impact. Notably, on the same day that Microsoft released this report, the U.S. Justice Department announced a coordinated action against North Korean Remote IT Worker campaigns. This included two indictments, one arrest, searches of 29 suspected laptop farms, and the seizure of 29 financial accounts. Additionally, Microsoft has suspended over 3,000 accounts associated with Jasper Sleet.
Despite this intervention, the eSentire Threat Intelligence team assesses that similar North Korean campaigns will continue to operate. DPRK actors are experimenting with AI-tools. Based on this report, AI-tools have been beneficial in social-engineering type campaigns. These tools have not created new capabilities, but they do simplify the attack process, potentially enabling higher volumes of activity.
Organizations are strongly encouraged to review and enhance hiring policies to prevent North Korean actors from being achieving employment. Identity verification for all hires is critical. When possible, interviews should be conducted in person; for virtual interviews, cameras should be on without any virtual background. Candidates should be questioned on their alma mater and physical location, as North Korean threat actors are unlikely to be able to answer these region-specific questions. Additionally, corporate devices should only be sent to approved home locations that match employee records.
The eSentire Threat Response Unit (TRU) conducts threat hunts to identify related activity. For more information on North Korean Remote IT Worker campaigns, and eSentire’s observations of this threat, see the May 2025 TRU Intelligence Briefing webinar.
FBI Warns of Scattered Spider Targeting the Aviation Industry
Bottom Line: The FBI issued a warning that the threat actor group Scattered Spider has been observed targeting the airline sector. The attacks involve social engineering, resulting in the theft of data for extortion, and deployment of ransomware.
On June 27th, 2025, the Federal Bureau of Investigation (FBI) posted an alert on their X account, warning of the threat group Scattered Spider performing social engineering attacks to target organizations within the aviation industry. Scattered Spider (also known as UNC3944, Storm-0875, and Muddled Libra) is a financially motivated threat group that was first observed in 2022 and has targeted a wide range of industries across North America, South America, Europe, and Asia. The group is believed to consist of individuals from the United States and the United Kingdom. In 2023, Scattered Spider gained notoriety for conducting cyber-attacks against Caesars Entertainment and MGM Resorts International, the latter of which resulted in the deployment of BlackCat/ALPHV ransomware.
Scattered Spider is known for conducting social engineering attacks as a means for gaining initial access to target environments. In an advisory published by the Cybersecurity & Infrastructure Security Agency (CISA) in 2023, details regarding some of the social engineering techniques used by the group were provided. These reported techniques include performing sim swapping attacks, and posing as an organizations IT or help desk staff to trick users into providing credentials, sharing Multi-Factor Authentication (MFA) codes, or granting access to hosts through Remote Monitoring and Management (RMM) tools. Within their alert, the FBI indicates that recently observed social engineering attacks targeting organizations within the aviation industry involved the impersonation of employees or contractors, attempting to deceive help desk employees into granting them access. One reported method included the threat actors tricking an organization’s help desk into adding an unauthorized MFA device to a compromised account.
Once Scattered Spider gains access to a target network, they perform data exfiltration, which is later used for extortion, and will “often deploy ransomware” as well. Scattered Spider is known to target large corporations and third-party IT providers, indicating that the group is likely to perform supply chain attacks. Due to this, the FBI warns that “anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk”.
eSentire Threat Intelligence Analysis:
Within their warning, the FBI does not provide any technical details or confirmation regarding any recent attacks against airlines, or organizations within the aviation sector, that were performed by Scattered Spider. However, in June 2025, three airlines confirmed to have been impacted by cyber-attacks, including WestJet, Hawaiian Airlines, and the Australian airline Qantas Airlines. While no technical details have been provided on these attacks, both Mandiant and Darktrace have indicated that the attacks resemble those of Scattered Spider but provide no official confirmation on attribution.
Scattered Spider was reported on previously in 2025 for targeting retail organizations within the United States and the United Kingdom, using similar social engineering techniques. These attacks resulted in the deployment of the DragonForce ransomware against impacted organizations. As observed in their attacks from 2023, Scattered Spider was previously known for using the Ransomware-as-a-Service (RaaS) offering BlackCat/ALPHV, but after its shutdown, Scattered Spider became an affiliate for the RaaS RansomHub. However, after the RaaS group DragonForce took over RansomHub in 2025, Scattered Spider became an affiliate for DragonForce, and began deploying this ransomware in their attacks. Ransomware attacks involving both data exfiltration and encryption are known as double extortion attacks, which have increased in popularity in recent years. This increase in popularity is likely caused by the attacks providing threat actors with the additional leverage of leaking sensitive data, increasing the likelihood that organizations will pay the ransom demands.
Social engineering techniques are likely used by Scattered Spider as these attacks rely on the exploitation of human psychology, rather than exploiting vulnerabilities or using malware for initial access. Social engineering attacks are popular amongst threat actors, as they enable initial access without the “technical work of getting around firewalls, antivirus software and other cybersecurity controls”. To protect against these threats, organizations should implement policies to ensure help desk or IT personnel verify employee identities through secure methods prior to making any security-related changes or providing sensitive information. Organizations should also implement strong authentication measures for account management changes, avoiding the reliance on publicly available personal data, such as date of birth, or Social Security Numbers (SSNs), for verification. Organizations should also conduct Phishing and Security Awareness Training (PSAT), which is used to educate users on how to identify and report threats.
eSentire's Threat Response Unit (TRU) published a blog on detected activity that was attributed to Scattered Spider, titled "Ransomware Precursor Activity Traced to Compromised Vendor Account". eSentire's Threat Intelligence team continues to track this topic for any additional information, Indicators of Compromise (IoCs), and detection opportunities.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
