FireEye believes this is a bad guy hoarding Citrix servers, rather than a good-guy vigilante looking out for organizations.
Article Link: https://www.zdnet.com/article/a-hacker-is-patching-citrix-servers-to-maintain-exclusive-access/#ftag=RSSbaffb68