Malicious actors using HexStrike AI to create Citrix exploits

Threat actors are attempting to exploit a newly released artificial intelligence (AI) offensive security tool called HexStrike AI, which is designed to automate reconnaissance and vulnerability discovery. HexStrike AI is marketed as an AI-driven security platform aimed at enhancing authorised red teaming operations, bug bounty hunting, and capture the flag (CTF) challenges. The open-source platform integrates with over 150 security tools, facilitating network reconnaissance, web application security testing, reverse engineering, and cloud security. It also features numerous specialised AI agents tailored for vulnerability intelligence, exploit development, attack chain discovery, and error handling. However, a report from Check Point indicates that malicious actors are repurposing this tool to gain an adversarial advantage, transforming it into an engine for exploitation of recently disclosed security vulnerabilities.

Discussions on darknet cybercrime forums reveal that threat actors claim to have successfully exploited three security flaws disclosed by Citrix using HexStrike AI. In some instances, they even flag vulnerable NetScaler instances for sale to other criminals. Check Point warns that the malicious use of such tools has significant implications for cybersecurity, as it reduces the time between public disclosure and mass exploitation while automating exploitation efforts. This automation diminishes human effort and allows for the automatic retrying of failed exploitation attempts, thereby increasing the overall exploitation yield. The immediate priority for organisations is to patch and harden affected systems. HexStrike AI signifies a broader paradigm shift, where AI orchestration is increasingly weaponised to exploit vulnerabilities rapidly and at scale. Researchers from Alias Robotics and Oracle Corporation have also highlighted that AI-powered cybersecurity agents, like PentestGPT, carry heightened prompt injection risks, effectively turning security tools into cyber weapons through hidden instructions.