NotRobin backdoor targets Citrix/NetScaler appliances

NotRobin is a backdoor that targets Citrix/NetScaler appliances.

NotRobin is spread over the internet via exploitation of a Remote Code Execution (RCE) vulnerability in these devices. The threat actor remains anonymous as they distribute NotRobin using Tor.

When executed, NotRobin removes other malware that has compromised the affected device. It then gains persistence on the device by creating a cron job and blocks any further exploitation attempts except by the threat actor.

The malware also searches for files with an .xml extension in another directory used by attackers exploiting CVE-2019-19781 if NOTROBIN finds the strings “block” or “BLOCK” in them, matching possible exploit code, the files are deleted.

The compromised device will also listen on UDP port 18634 but drop any received data without inspection. At the time of publication there is no evidence of any additional malware being deployed to devices compromised by NotRobin.

Indicators of Compromise

Listening UDP port:

  • 18634


  • /var/nstmp/.nscache/httpd
  • /tmp/.init/httpd

Crontab entry:

  • /var/nstmp/.nscache/httpd


  • vilarunners[.]cat

IP addresses:

  • 95.179.163[.]186
  • 80.240.31[.]218

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: