Open a backdoor into a network, then patch the vulnerability to prevent fellow hackers from gaining access.
ZDNet has the details:
Attacks on Citrix appliances have intensified this week, and multiple threat actors have now joined in and are launching attacks in the hopes of compromising a high-value target, such as a corporate network, government server, or public institution.
In a report published today, FireEye says that among all the attack noise it's been keeping an eye on for the past week, it spotted one attacker that stuck out like a sore thumb.
This particular threat actor was attacking Citrix servers from behind a Tor node, and deploying a new payload the FireEye team named NotRobin.
FireEye says NotRobin had a dual purpose. First, it served as a backdoor into the breached Citrix appliance. Second, it worked similar to an antivirus by removing other malware found on the device and preventing other attackers from dropping new payloads on the vulnerable Citrix host.