Citrix Netscaler backdoors — Part One — May 2025 activity against governments

This report documents an active campaign targeting Citrix NetScaler appliances via a vulnerability in getAuthenticationRequirements.do. Attackers POST specially constructed payloads that use base85/zlib/pickle unpacking in Python to drop XOR-decrypted PHP webshells that accept AES-encrypted commands; they also create a SUID shell for privilege escalation, time-stomp legitimate files (e.g., jquery.min.js), and restart Apache to maintain access. Detection guidance includes monitoring POST requests to getAuthenticationRequirements.do, searching for web-accessible PHP shells in LogonPoint/theme paths, checking for unexpected /var/python/bin/python3 executions and SUID binaries (e.g., /var/tmp/sh), and investigating anomalous Last-Modified headers on static assets.