Show menu

Cyber Defense Firm Fox-IT Discovers Citadel Variant on

At 8:43 US EDT, Fox-IT’s cybersecurity operations center identified a variant of Citadel malware on It was discovered coincidentally in the course of its ongoing monitoring service; one of Fox-IT’s customers was infected as a result of visiting the site. Ronald Prins (@cryptoron), Fox-IT’s CEO, tweeted the incident to alert site visitors, while Fox-IT security experts contacted the incident handling team at GE, the owner of, to alert them to the problem.

Technical details can be found at the Fox-IT blog

While is still running, the security features in most browsers (Chrome, Firefox and Facebook) have given warning messages to users before accessing the site.

Other recent attacks at NY Times and Wall Street Journal show that targeting such websites can vastly improve an attacker’s chances of success with a massive reach.

Citadel was originally designed for bank fraud and cyber espionage. This variant of Citadel uses an exploit called “RedKit” that invades computers through vulnerabilities in PDF and Java software. Once injected, the botnet crawls through files to seek and capture personal information, including online banking credentials. Variants of Citadel can automatically insert bank transfers and credit card payments.

This version of the Citadel is only recognizable to three out of the 46 antivirus programs on – Fortinet, Panda and Rising.

Both detection and removal of the malware are difficult by design. Several sites offer tips on detection and removal, including HitmanPro, but beware of scams.

Fox-IT monitors and captures the chatter, contains the fallout and minimizes the damage of cyber-attacks every day. Founded in 1999 as Europe’s first digital investigation agency, Fox-IT specializes in cyber defense tools, proactive monitoring services and rapid incident response for banks, governments and highly secure/highly sensitive enterprises.

Our website uses a cookie from Google Analytics. Click here for more information about our cookie policy and privacy statement. Click here to delete this message.