ioc · name

netscaler.1

IR · IranPioneer Kittenconfidence · high

Credential-capturing webshell artifact dropped by Pioneer Kitten on compromised Citrix Netscaler appliances - the file collects login credentials and is placed in the same directory as a PHP webshell (ctxHeaderLogon.php / netscaler.php) per CISA AA24-241A.

first seen: Sep 30, 2023
publisher: CISA

source citation