Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
MalwareExploits 1 CVE

NOTROBIN

NOTROBIN is a malware payload/backdoor associated with exploitation of Citrix ADC/Gateway appliances vulnerable to CVE-2019-19781. Multiple sources in the provided content state that threat actors actively targeted vulnerable Citrix installations and used NOTROBIN after gaining access via this unauthenticated remote code execution flaw. FireEye reported that actors installed NOTROBIN and also performed mitigation steps intended to block subsequent exploitation by other attackers. The content further describes this as a form of adversary patching: NOTROBIN removed competing web shells and altered components so that only the intruder with a secret key could regain access. The malware is explicitly described as a backdoor trojan and is also listed among notable Linux malware discoveries. High-confidence context ties it to Citrix NetScaler/ADC exploitation waves in 2020, affecting internet-facing enterprise and government environments using vulnerable Citrix appliances. The provided content does not include specific file hashes, domains, or other concrete IOCs for NOTROBIN.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2019-19781Directory Traversal and RCE in Citrix ADC and GatewayExploited in the wild

A week before the 2019 holidays Citrix announced that an authentication bypass vulnerability was discovered in multiple Citrix products... The vulnerability has been assigned CVE ID CVE-2019-19781... Meanwhile, according to FireEye research threat actors were actively targeting vulnerable Citrix installations to install malware... The payload used by the threat actor is named NOTROBIN... By the end of January 2020, Citrix has released patches for all products... At the time of writing several exploits have already been released to the public. | Meanwhile, according to FireEye research threat actors were actively targeting vulnerable Citrix installations to install malware and perform the mitigation steps to prevent subsequent exploitation attempts. The payload used by the threat actor is named NOTROBIN.

via hackingtutorialshackingtutorials.org
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1

“Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities… Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies.” / “CVE-2019-19781… exploitation enables the actors to perform unauthorized RCE on a target system.”

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1

Attackers can use this functionality to upload/execute command and control (C2) software (webshell or reverse-shell executable) using embedded commands (e.g., curl, wget, Invoke-WebRequest).

T1203Exploitation for Client ExecutionEvidence2

A week before the 2019 holidays Citrix announced that an authentication bypass vulnerability was discovered in multiple Citrix products... Exploiting the vulnerability could allow an unauthenticated attacker to perform arbitrary code execution on the Citrix appliance.

Persistence

1 technique
T1505.003Web ShellEvidence1

“Attackers can… upload/execute command and control (C2) software (webshell or reverse-shell executable)… gain unauthorized access to the OS.” / “This vulnerability was typically exploited to install webshell malware…”

Stealth

1 technique
T1006Direct Volume AccessEvidence1

The lack of adequate access controls allows an attacker to enumerate system directories for vulnerable code (directory traversal).

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app5 years ago
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.