{"id":32853,"date":"2020-01-17T19:49:15","date_gmt":"2020-01-17T19:49:15","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/"},"modified":"2020-01-17T19:49:15","modified_gmt":"2020-01-17T19:49:15","slug":"friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/","title":{"rendered":"&#8216;Friendly&#8217; hackers are seemingly fixing the Citrix server hole \u2013 and leaving a nasty present behind"},"content":{"rendered":"<p>Hackers exploiting the <a target=\"_blank\" href=\"https:\/\/www.theregister.co.uk\/2019\/12\/23\/patch_now_published_citrix_applications_leave_network_vulnerable_to_unauthorised_access\/\" rel=\"noopener noreferrer\">high-profile<\/a> Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out.<\/p>\n<p>Researchers at FireEye <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2020\/01\/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html\">report<\/a> finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/support.citrix.com\/article\/CTX267679\">by mitigation<\/a>.<\/p>\n<p>Obviously, this is less of a noble gesture and more of a way to keep others out of the pwned boxes.<\/p>\n<p>&#8220;Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts,&#8221; the FireEye team explained.<\/p>\n<p>&#8220;But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign.&#8221;<\/p>\n<p>That the attackers would think to mitigate the bug is hardly surprising given the number of hackers believed to be scanning for and targeting the bug. It would make sense to take a compromised server off the map, so to speak, for other groups trying to exploit the so-called &#8216;Shitrix&#8217; flaw.<\/p>\n<p>FireEye says it has yet to work out all the details of the attack, but it is believed that most of the exploit is done through a single script. That script, delivered via an HTTP POST request, issues the commands to kill any cryptocurrency scripts running on the machine, creates a directory to stage the next phase of the attack, then downloads and runs the secondary NOTROBIN payload.<\/p>\n<div class=\"promo_article\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/regmedia.co.uk\/2018\/01\/19\/citrix_editorial_only_shutterstock.jpg?x=174&amp;y=115&amp;crop=1\" width=\"174\" height=\"115\" alt=\"Citrix\"><\/p>\n<h2 title=\"Unauthorised users able to perform 'arbitrary code execution'\">Patch now: Published Citrix applications leave networks of &#8216;potentially 80,000&#8217; firms at risk from attackers<\/h2>\n<p><a href=\"https:\/\/www.theregister.co.uk\/2019\/12\/23\/patch_now_published_citrix_applications_leave_network_vulnerable_to_unauthorised_access\/\"><span>READ MORE<\/span><\/a><\/div>\n<p>&#8220;Cryptocurrency miners are generally easy to identify\u2014just look for the process utilizing nearly 100 per cent of the CPU,&#8221; said FireEye. &#8220;By uninstalling these unwanted utilities, the actor may hope that administrators overlook an obvious compromise of their NetScaler devices.&#8221;<\/p>\n<p>Once the secondary payload has been downloaded and launched, it installs the backdoor for later access by the attackers, then proceeds to launch a pair of scripts that both search out and delete known malware on the machine and monitor and block any incoming attempts to exploit the vulnerability.<\/p>\n<p>&#8220;The mitigation works by deleting staged exploit code found within NetScaler templates before it can be invoked,&#8221; FireEye&#8217;s team explained. &#8220;However, when the actor provides the hardcoded key during subsequent exploitation, NOTROBIN does not remove the payload. This lets the actor regain access to the vulnerable device at a later time.&#8221;<\/p>\n<p>While most vulnerable Citrix devices can be protected from attacks by applying the <a target=\"_blank\" href=\"https:\/\/www.theregister.co.uk\/2019\/12\/23\/patch_now_published_citrix_applications_leave_network_vulnerable_to_unauthorised_access\/\" rel=\"noopener noreferrer\">vendor&#8217;s mitigations<\/a>, some will need to <a target=\"_blank\" href=\"https:\/\/www.theregister.co.uk\/2020\/01\/16\/windows_citrix_patch_update\/\" rel=\"noopener noreferrer\">update their firmware<\/a> in order for the protections to actually work. Citrix has promised a complete patch for the flaw by January 20. \u00ae<\/p>\n<p class=\"wptl btm\"><span>Sponsored:<\/span> <a href=\"https:\/\/go.theregister.co.uk\/tl\/1889\/-8120\/detecting-cyber-attacks-as-a-small-to-medium-business?td=wptl1889\">Detecting cyber attacks as a small to medium business<\/a><\/p>\n<p>READ MORE <a href=\"https:\/\/go.theregister.co.uk\/feed\/www.theregister.co.uk\/2020\/01\/17\/hackers_patch_citrix_vulnerability\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Congratulations, you&#8217;ve won a secret backdoor Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out.\u2026  READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":32854,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-32853","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>&#039;Friendly&#039; hackers are seemingly fixing the Citrix server hole \u2013 and leaving a nasty present behind 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"&#039;Friendly&#039; hackers are seemingly fixing the Citrix server hole \u2013 and leaving a nasty present behind 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2020-01-17T19:49:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/01\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"174\" \/>\n\t<meta property=\"og:image:height\" content=\"115\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"&#8216;Friendly&#8217; hackers are seemingly fixing the Citrix server hole \u2013 and leaving a nasty present behind\",\"datePublished\":\"2020-01-17T19:49:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/\"},\"wordCount\":506,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/01\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind.jpg\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/\",\"name\":\"'Friendly' hackers are seemingly fixing the Citrix server hole \u2013 and leaving a nasty present behind 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/01\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind.jpg\",\"datePublished\":\"2020-01-17T19:49:15+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/01\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/01\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind.jpg\",\"width\":174,\"height\":115},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"&#8216;Friendly&#8217; hackers are seemingly fixing the Citrix server hole \u2013 and leaving a nasty present behind\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"'Friendly' hackers are seemingly fixing the Citrix server hole \u2013 and leaving a nasty present behind 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/","og_locale":"en_US","og_type":"article","og_title":"'Friendly' hackers are seemingly fixing the Citrix server hole \u2013 and leaving a nasty present behind 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2020-01-17T19:49:15+00:00","og_image":[{"width":174,"height":115,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/01\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"&#8216;Friendly&#8217; hackers are seemingly fixing the Citrix server hole \u2013 and leaving a nasty present behind","datePublished":"2020-01-17T19:49:15+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/"},"wordCount":506,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/01\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind.jpg","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/","url":"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/","name":"'Friendly' hackers are seemingly fixing the Citrix server hole \u2013 and leaving a nasty present behind 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/01\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind.jpg","datePublished":"2020-01-17T19:49:15+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/01\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/01\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind.jpg","width":174,"height":115},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/friendly-hackers-are-seemingly-fixing-the-citrix-server-hole-and-leaving-a-nasty-present-behind\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"&#8216;Friendly&#8217; hackers are seemingly fixing the Citrix server hole \u2013 and leaving a nasty present behind"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/32853","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=32853"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/32853\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/32854"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=32853"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=32853"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=32853"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}