Ongoing Citrix NetScaler Credential Stuffing Activity Observed Using Fresh Infostealer Credentials

We have recently identified another persistent credential stuffing campaign targeting a customer’s Citrix NetScaler environment. The activity appears to be leveraging credentials harvested by infostealer malware, including at least one account where the associated endpoint was compromised only days before the login attempts were observed.

The incident highlights the increasing speed at which credentials stolen by infostealers are being weaponised by threat actors. In this case, there appears to be little delay between credential theft and attempted access to externally exposed remote access infrastructure.

Observed Activity

The latest activity forms part of a broader pattern that has been observed against the customer over several months. Multiple login attempts have been recorded against accounts associated with the organisation, suggesting the threat actor maintains a list of previously compromised or targeted users and periodically retests access.

While attribution remains unknown, several indicators have remained consistent across the observed activity.

Indicators of Compromise (IOCs)

Source IP Addresses

5.45.73.13
176.124.205.197

User-Agent

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901

Notable Characteristics

Several characteristics of this activity are worth noting:

The targeted accounts have all been associated with the customer.
Login attempts have occurred over an extended period rather than as a single campaign.
Recently compromised credentials have been incorporated into the attack set very quickly.
The same infrastructure and User-Agent strings have been observed repeatedly across multiple attempts.

This behaviour is consistent with operators who maintain credential collections sourced from infostealer logs and periodically attempt authentication against internet-facing services such as Citrix NetScaler, VPN gateways, and other remote access platforms.

Recommendations

Organisations operating Citrix NetScaler or similar remote access solutions should consider:

Monitoring authentication logs for the indicators listed above.
Identifying users whose credentials may have appeared in infostealer datasets.
Enforcing multi-factor authentication (MFA) for all remote access services.
Reviewing failed and successful authentication attempts for signs of credential stuffing activity.
Resetting credentials associated with users suspected of endpoint compromise.
Implementing conditional access controls where practical.

The continued use of infostealer-derived credentials by threat actors reinforces the importance of treating endpoint compromises as identity compromises. Once credentials are harvested, they may remain valuable to attackers for months and can be repeatedly tested against exposed services long after the initial infection has been removed.

We recommend that organisations remain vigilant for ongoing authentication attempts against remote access infrastructure and proactively investigate any accounts known to have been exposed through infostealer activity.