December 10, 2023

Researchers have reported that threat actors are conducting a large-scale credential harvesting campaign exploiting the recent CVE-2023-3519 vulnerability in Citrix NetScaler Gateways.

At the end of July, Citrix warned customers that the CVE-2023-3519 flaw in NetScaler Application Delivery Controller (ADC) and Gateway is being actively exploited in the wild using the code injection vulnerability that could result in unauthenticated remote code execution. Successful exploitation requires that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

The U.S. CISA warned of cyber-attacks against Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices exploiting the zero-day CVE-2023-3519. The Agency revealed that threat actors targeted a NetScaler ADC appliance deployed in the network of a critical infrastructure organization and are exploiting the vulnerability to drop web shells on vulnerable systems.


Researchers discovered the campaign while conducting an incident response activity for a client that had reported slow authentications on the NetScaler install. The attackers exploited the flaw to inject a malicious Javascript into the device “index.html” login page.

The attack chain starts with the threat actors sending a web request to “/gwtest/formssso? event=start&target=” triggering the flaw CVE-2023-3519 to write a simple PHP web shell to /netscaler/ns_gui/vpn. Once the PHP web shell is deployed, the attacker retrieved the contents of the “ns.conf” file on the device. Then the attackers appended custom HTML code to “index.html” which references a remote JavaScript file hosted on attacker-controlled infrastructure.

The JavaScript code appended to “index.html” retrieves and executes additional JavaScript code that attaches a custom function to the “Log_On” button on the authentication page. The malicious code can collect data in the authentication form, including credentials, and sends it to a remote host through a HTTP POST method.

Researchers identified multiple domains used as part of this campaign, the domains were registered on August 5th, 6th, and 14th, and leveraging Cloudflare to mask where the domains were hosted and identified the C2 infrastructure used by the threat actors, then they were able to identify almost 600 unique victim IP addresses hosting modified NetScaler Gateway login pages. Most of the victims are in the United States and Europe.


The analysis reveals that the NetScaler Gateway login pages were first modified on August 11, 2023, suggesting that this date might mark the commencement of the campaign. The researchers were not able to link this campaign to any known threat group.

This latest research was documented by the researchers from IBM X-Force

Indicators of Compromise

  • jscloud[.]ink
  • jscloud[.]live
  • jscloud[.]biz
  • jscdn[.]biz
  • cloudjs[.]live
  • cloud-js[.]cloud

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.