Executive Summary

Amazon's threat intelligence team has disclosed its discovery of a highly sophisticated advanced persistent threat (APT) group exploiting two previously unknown zero-day vulnerabilities in enterprise networking products from Cisco and Citrix. The campaign, first detected in May 2025, leveraged a deserialization flaw in Cisco Identity Service Engine (ISE) (CVE-2025-20337) and a flaw in Citrix NetScaler (CVE-2025-5777) to gain initial access and execute code. The threat actor deployed a custom, fileless web shell that operated entirely in memory to maintain persistence and evade detection. The ability to discover and weaponize multiple zero-days against critical network infrastructure indicates a well-funded and skilled nation-state-level adversary.

Threat Overview

The APT group's campaign was first identified by Amazon's MadPot honeypot network, which detected probes against the Citrix vulnerability before its public disclosure. Subsequent investigation revealed the concurrent exploitation of the Cisco ISE flaw. The attackers chained these vulnerabilities to compromise critical identity and access management (IAM) systems, which are high-value targets for espionage and lateral movement.

• CVE-2025-20337 (Cisco ISE): A deserialization vulnerability that allowed a remote, unauthenticated attacker to achieve administrator-level access on the Cisco ISE appliance.
• CVE-2025-5777 (Citrix): Dubbed "Citrix Bleed Two," this flaw allowed pre-authentication remote code execution on vulnerable Citrix NetScaler appliances.

The APT group demonstrated a high level of operational security and technical skill by using custom malware tailored specifically for the targeted environment.

Technical Analysis

The attack chain was sophisticated and stealthy:

1. Initial Access (T1190 - Exploit Public-Facing Application): The APT exploited either CVE-2025-20337 on a Cisco ISE device or CVE-2025-5777 on a Citrix appliance to gain initial code execution.
2. Execution & Persistence (T1059.006 - Python): Upon compromising the Cisco ISE, the actor deployed a custom web shell. The malware, named IdentityAuditAction, was written to blend in with legitimate system components.
3. Defense Evasion (T1055 - Process Injection & T1620 - Reflective Code Loading): The web shell was fileless, operating entirely in-memory. It used Java reflection to inject itself into active server threads, making it invisible to traditional file-based antivirus scanners.
4. Command and Control (T1071.001 - Web Protocols): The web shell acted as a backdoor, allowing the attacker to intercept legitimate HTTP requests to the ISE management interface and execute arbitrary commands.

This use of in-memory malware and reflective loading is a hallmark of advanced threat actors aiming to minimize their forensic footprint.

Impact Assessment

Compromise of an IAM solution like Cisco ISE is a critical security event. It grants attackers control over network access policies, allowing them to create rogue accounts, bypass security controls like segmentation, and gain widespread access to the internal network. The attacker could monitor all authentication events, harvest credentials, and move laterally to other high-value systems. The business impact includes loss of sensitive data, complete network compromise, and significant disruption to operations. The targeting of edge network appliances represents a strategic effort to breach hardened perimeters.

IOCs

The primary indicator was the custom web shell named IdentityAuditAction. No other specific IOCs like IP addresses or file hashes were publicly released.

Detection & Response

Detecting such advanced attacks requires more than signature-based tools.

• Memory Analysis: Regularly perform memory analysis on critical network appliances like Cisco ISE and Citrix NetScalers to hunt for signs of reflective code loading or anomalous injected threads. Use D3FEND's Dynamic Analysis.
• Network Traffic Analysis: Monitor traffic to and from the management interfaces of network appliances. These interfaces should only be accessible from a limited set of internal administrative hosts. Any connections from the internet or other unexpected sources are highly suspicious. This aligns with D3FEND's Network Traffic Analysis.
• Log Monitoring: Closely monitor audit logs from Cisco ISE for unexplained configuration changes, new administrative account creation, or policy modifications. Look for any anomalous log entries or gaps in logging.

Mitigation

1. Patch Management (M1051 - Update Software): Immediately apply the patches released by Cisco for CVE-2025-20337 and by Citrix for CVE-2025-5777.
2. Restrict Access (M1035 - Limit Access to Resource Over Network): The management interfaces of critical network appliances like Cisco ISE should never be exposed to the internet. Access should be strictly limited to a secure management network or bastion host.
3. Network Segmentation (M1030 - Network Segmentation): Segment the network to prevent compromised edge devices from having direct access to critical internal resources. This contains the blast radius of a potential compromise.
4. Integrity Monitoring: Use file and system integrity monitoring tools to detect unauthorized changes to the operating systems of network appliances.