Threat Analysis: CitrixBleed 2 Ransomware Chain, SilabRAT MaaS, and the NHS Email Incident That Should Not Have Happened
Hello, Mauven here.
This is your Daily Threat Analysis for 10th July 2026.
Three items today. They are not connected by a single actor or campaign. They are connected by something more uncomfortable: they all represent failures that were entirely preventable, and all three are playing out right now against organisations that probably thought they had it covered.
CitrixBleed 2: The Seven-Step Ransomware Chain Targeting Unpatched NetScaler
Let us start with the one that should make your stomach drop if you run Citrix infrastructure.
Huntress has published a detailed post-incident analysis documenting how multiple unrelated organisations were compromised between January and June 2026 using a near-identical seven-step attack chain. The entry point in every case was CVE-2025-5777, which researchers are calling CitrixBleed 2, a memory-overread vulnerability in NetScaler ADC and Gateway appliances.
Here is what the research is not emphasising loudly enough: this was not sophisticated. The attackers sent malformed pre-authentication login requests to extract valid session tokens directly from NetScaler memory. No credentials required. No social engineering. No zero-day. Just a publicly known vulnerability against appliances that had not been patched.
From there, the chain runs to completion with a degree of operational consistency that suggests either tooling or a well-rehearsed playbook. Mimikatz for credential extraction. ScreenConnect for persistent remote access. Impacket for lateral movement. The endpoint is Dragonforce ransomware.
Dragonforce is worth a note here. It has been active since at least 2023 and has claimed attacks against UK retail, logistics, and professional services organisations. The advisory attributes this chain to initial access brokers selling footholds into vulnerable organisations, which tells you the targeting is not personal. It is opportunistic. Automated scanning identifies exposed NetScaler appliances. The foothold is sold. The ransomware follows.
What the advisory does not say is that NetScaler appliances are disproportionately common in mid-market UK businesses, law firms, accountancy practices, professional services, and healthcare, precisely because they were the remote access solution of choice for the decade prior to widespread cloud adoption. Many of those deployments are managed by IT providers who inherited them and have not reviewed patch status since. If your IT provider manages a Citrix or NetScaler environment for you, the question to ask today is not whether they know about CVE-2025-5777. The question is whether they can show you the patch was applied and when.
Immediate action: If you run NetScaler ADC or Gateway, verify patch status for CVE-2025-5777 today. If you cannot verify it, assume you are exposed. Huntress’s post contains detailed indicators of compromise for the Dragonforce chain.
SilabRAT: Credential Theft Sold as a Monthly Subscription
Group-IB published their analysis of SilabRAT this week, and it is worth reading in full if you manage security for any organisation where staff access business systems remotely.
SilabRAT is a Remote Access Trojan that has been available on darkweb forums since late 2025, developed by a threat actor operating under the handle o1oo1, and sold at $5,000 per month, roughly £3,900 at current rates. That price point tells you something about the intended buyer: this is not a commodity tool for script kiddies. It is designed for financially motivated actors running sustained credential theft and cryptocurrency operations.
The capabilities worth understanding:
Browser profile cloning. SilabRAT does not just steal passwords. It copies the entire browser profile, cookies, session tokens, saved credentials, authentication state, and replicates it on the attacker’s machine. This means that if a victim is authenticated to their business banking portal, their accounting software, or their cloud storage, the attacker inherits that session. Multi-factor authentication does not protect you here, because the session is already authenticated. The MFA check already happened.
Hidden Virtual Network Computing (HVNC). The attacker can interact with the victim’s machine through a hidden desktop environment the victim never sees. There is no visible window, no mouse cursor moving unexpectedly. The compromise is invisible during active exploitation.
HijackLoader and ASMCrypt delivery. The toolchain is designed for evasion. HijackLoader is a well-documented loader used by multiple criminal groups to bypass security tooling, and ASMCrypt provides additional obfuscation layers.
The delivery mechanism most relevant to UK SMBs is phishing, specifically, phishing that targets staff with access to financial systems or cloud platforms. The target profile here is finance teams, practice managers, and business owners with administrative access to cloud accounting and banking.
What the research does not make explicit is the supply chain risk. If your accountant, your solicitor, or your IT managed service provider is compromised by a SilabRAT deployment, the attacker may inherit authenticated sessions to systems they manage on your behalf. You do not need to be the direct target to be affected.
Immediate action: Review which staff roles have administrative access to financial systems and cloud platforms. Ensure session timeout policies are configured appropriately. If you use a managed service provider, ask them about their own endpoint security posture, specifically whether they have reviewed remote access tooling for browser-based credential theft capability.
NHS Forth Valley: A Reminder That Most UK Data Breaches Do Not Require an Attacker
NHS Forth Valley is under investigation after sending emails containing maternity patient data to recipients who should not have received it. The mechanism, according to The Register’s reporting, was a basic CC field error.
I am including this in today’s analysis not because it is a sophisticated threat, it is not, but because it illustrates something that gets lost in the coverage of nation-state attacks and ransomware chains. The ICO’s own data has consistently shown that the majority of personal data breaches reported to them involve human error rather than malicious external actors. Misdirected emails are one of the most frequently reported categories year after year.
The fact that this involves a Scottish NHS board and maternity data means there is a mandatory data protection investigation. The fact that it keeps happening across NHS boards means the structural issue, how bulk emails containing sensitive data are sent, reviewed, and approved, is not being addressed at an organisational level.
For UK SMBs, the lesson is direct. You do not need a sophisticated adversary to face an ICO investigation. You need one distracted employee and a CC field populated from an autocomplete suggestion.
Immediate action: If your organisation sends bulk emails to groups of clients, patients, or customers, review whether you have a process for verifying recipient lists before sending. The NCSC has published guidance on email security that covers misdirection risk. The fact that we are still discussing this particular failure mode in 2026 tells you how widely that guidance has been implemented.
On the Radar: GigaWiper and Check Point VPN
Two items I am not covering in full today but want to flag for awareness.
Microsoft Threat Intelligence published their analysis of GigaWiper, a Golang-based backdoor discovered in October 2025 that combines command-and-control capability with multiple destructive payloads drawn from at least three separate malware families. The destructive component operates at physical disk level. This is not ransomware in the conventional sense, there is no recovery mechanism. The published research covers the technical anatomy in detail. The UK relevance is indirect at present, but the targeting profile and capability should be on the radar of anyone responsible for operational technology or critical infrastructure.
Separately, Check Point has confirmed active exploitation of CVE-2026-50751, a critical authentication bypass in Remote Access VPN and Mobile Access deployments. Exploitation has been observed since May 2026. Qilin ransomware has been associated with post-exploitation activity following this vulnerability. If your organisation uses Check Point Remote Access VPN, patch status for CVE-2026-50751 and CVE-2026-50752 requires immediate verification.
Summary: What to Do Today
| Priority | Action |
|---|---|
| Immediate | Verify patch status for CVE-2025-5777 on all NetScaler ADC/Gateway appliances |
| Immediate | Verify patch status for CVE-2026-50751/50752 on Check Point Remote Access VPN |
| This week | Review staff access to financial and cloud platforms; audit session timeout policies |
| This week | Ask your MSP or IT provider to confirm their own endpoint security posture |
| Process review | Audit bulk email procedures for client-facing or patient-facing communications |
Before the next story: if Threat Analysis is useful to you, follow the show wherever you listen so tomorrow’s briefing lands automatically. And if you know someone who runs a business and should be across this, pass it on. They may not be reading threat intelligence today, but they will wish they had been.