Posted in

Anubis Ransomware Exploits Citrix Bleed 2 to Breach Enterprise Networks

The Anubis ransomware operation has intensified its attacks by exploiting the critical Citrix Bleed 2 (CVE-2025-5777) vulnerability to gain initial access to enterprise networks. Security researchers have also observed the group using legitimate remote administration tools, stolen VPN credentials, and hands-on-keyboard techniques to move laterally across compromised environments.

According to a recent report from Arctic Wolf, while individual affiliates use different tactics, they consistently rely on trusted IT management tools to avoid detection and maintain long-term access inside victim networks.

Legitimate Remote Management Tools Used to Avoid Detection

Instead of deploying obvious malware immediately, Anubis operators frequently abuse legitimate Remote Monitoring and Management (RMM) software that is commonly used by IT administrators.

Some of the tools observed in recent attacks include:

  • ScreenConnect
  • Zoho Assist
  • MeshAgent
  • Remotely
  • UltraVNC
  • Total Software Deployment

Because these applications are widely used in enterprise environments, attackers can blend into normal administrative activity while remotely controlling infected systems.

What Is Anubis Ransomware?

Anubis is a Ransomware-as-a-Service (RaaS) operation that emerged in late 2024 after rebranding from the Sphinx ransomware family. The group officially launched its affiliate program on the RAMP cybercrime forum in February 2025.

Since then, the operation has expanded rapidly. According to ransomware tracking platforms, Anubis has claimed responsibility for more than 90 victims worldwide, including multiple attacks reported during June 2026.

The group’s primary targets include:

  • Healthcare organizations
  • Manufacturing companies
  • Business service providers
  • Technology firms
  • Financial institutions

More than half of the known victims are located in the United States, followed by organizations in the United Kingdom, Australia, France, and Canada.

High Affiliate Payouts and Destructive Wiper Capability

Anubis has attracted affiliates by offering generous revenue sharing, allowing partners to keep up to 80% of ransom payments.

What makes the ransomware particularly dangerous is its optional WIPEMODE feature.

When activated, this module permanently destroys victim files by reducing them to 0 KB, making recovery impossible—even if the ransom is later paid. This destructive capability significantly increases pressure on victims during ransom negotiations.

Citrix Bleed 2 Provides Initial Access

Many of the recent intrusions begin by exploiting CVE-2025-5777, better known as Citrix Bleed 2.

The vulnerability affects Citrix NetScaler ADC and Gateway devices configured as Gateway or AAA virtual servers. Successful exploitation allows attackers to bypass authentication and gain unauthorized access to corporate networks.

In several incidents, Arctic Wolf also observed attackers logging into Cisco AnyConnect VPNs using valid credentials. While the exact source of these credentials remains unknown, they may have been obtained through:

  • Previous network compromises
  • Initial Access Brokers (IABs)
  • Credential stuffing attacks
  • Information-stealing malware

After VPN access is established, attackers quickly transition to Remote Desktop Protocol (RDP) and SMB sessions before expanding their foothold inside the network.

Lateral Movement and Data Theft

Once inside a victim’s environment, Anubis operators use tools such as PsExec and Remote Desktop to move between systems.

They often deploy additional remote management software to maintain persistence while remaining difficult to detect.

Some attacks also establish Cloudflare Tunnel (cloudflared) connections, allowing encrypted communication between attacker infrastructure and compromised networks.

Before encrypting systems, attackers typically collect sensitive data using legitimate file transfer utilities, including:

  • S3 Browser
  • rclone
  • s5cmd
  • WinSCP
  • PuTTY

The stolen information is exfiltrated before ransomware deployment, increasing pressure on victims through double-extortion tactics.

Disabling Security Before Encryption

To maximize the impact of their attacks, Anubis affiliates attempt to weaken endpoint protection and hinder forensic investigations.

Researchers observed several defense-evasion techniques, including:

  • Disabling Microsoft Defender real-time protection
  • Uninstalling Sophos security software
  • Using PC Hunter-related utilities
  • Clearing Windows event logs
  • Deleting ransomware payloads after execution

Removing encryption binaries after deployment leaves investigators with fewer artifacts to analyze during incident response.

The Gentlemen Ransomware Group Deploys Go-Based Backdoor

Separately, Kaspersky researchers have analyzed a Go-based backdoor used by The Gentlemen ransomware group.

The malware collects system information, sends it to an external command-and-control server, and waits for operator instructions.

Depending on received commands, the implant can:

  • Execute Windows commands remotely
  • Create SOCKS proxy connections
  • Expand attacker access across compromised networks
  • Support reconnaissance and lateral movement

Researchers believe the backdoor serves as a flexible post-exploitation tool that can support multiple stages of ransomware operations.

BYOVD Technique Targets Endpoint Security

Another growing concern involves the Bring Your Own Vulnerable Driver (BYOVD) technique.

Researchers reported that The Gentlemen have exploited a zero-day vulnerability in ktapi.sys, a driver associated with Kontron’s API software.

By loading the vulnerable driver, attackers can obtain kernel-level privileges and disable security products from vendors including:

  • Microsoft
  • ESET
  • Palo Alto Networks
  • SentinelOne

Security experts warn that BYOVD remains one of the most effective methods for bypassing modern endpoint protection, even on fully patched Windows systems.

TeamPCP and VECT Join Forces

Sophos researchers have also uncovered a partnership between ransomware groups TeamPCP and VECT.

The collaboration combines large-scale credential theft through supply chain compromises with ransomware deployment, enabling attackers to rapidly target organizations affected by previous software supply chain attacks involving Trivy and LiteLLM.

Although researchers identified technical flaws in VECT’s encryptor that permanently destroy files larger than 128 KB instead of encrypting them, TeamPCP claims it primarily relies on its own CipherForce ransomware.

Security analysts believe this partnership represents a significant evolution in ransomware operations by combining credential harvesting, affiliate infrastructure, and automated deployment at scale.

Final Thoughts

The latest campaigns demonstrate how ransomware operators continue to evolve by combining zero-day vulnerabilities, stolen credentials, legitimate administrative tools, and advanced defense-evasion techniques.

Organizations should prioritize patching internet-facing systems such as Citrix NetScaler devices, enforce multi-factor authentication for VPN access, monitor the use of remote administration software, and strengthen endpoint detection capabilities to reduce the risk of compromise.

As ransomware groups become increasingly organized and collaborative, proactive security measures remain the most effective defense against these sophisticated attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *