An unknown threat actor is currently scanning for and securing vulnerable Citrix ADC servers against CVE-2019-19781 vulnerability. FireEye researchers discovered this campaign designed to clean the Citrix appliances of malware strains known to target such devices. The actor also planted a backdoor that provides access to the now secured Citrix server to actors that know a secret hardcoded passphrase, unique for each compromised device. Over 25,000 Citrix endpoints are vulnerable to attacks targeting this flaw, with almost 1,000 found in the U.S. and thousands more in Germany, Switzerland, and Switzerland.
Source: https://www.bleepingcomputer.com/news/security/hackers-are-securing-citrix-servers-backdoor-them-for-access/