Ransomware Groups Leverage Citrix Bleed 2 BYOVD And Supply Chain Credentials For Enterprise Intrusions

Ransomware Groups Leverage Citrix Bleed 2 BYOVD And Supply Chain Credentials For Enterprise Intrusions

Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 vulnerability, tracked as CVE-2025-5777, to gain initial access into targeted environments. Security researchers from Arctic Wolf report that although tactics vary across affiliates, common operational patterns include the use of legitimate remote management and monitoring tools, credential access techniques, and hands on keyboard activity for lateral movement inside compromised networks. The group has been consistently observed using widely deployed administration tools such as ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment, allowing attackers to blend malicious activity with normal IT operations while maintaining persistent control over victim systems.

Anubis operates as a ransomware as a service model that emerged in late 2024 following a rebrand of the Sphinx ransomware operation. It was formally introduced on the RAMP underground forum in February 2025 and has since claimed responsibility for at least 91 victims, including 11 reported in June 2026 alone. The group primarily targets sectors including healthcare, business services, manufacturing, technology, and financial services, with more than half of known victims located in the United States, followed by the United Kingdom, Australia, France, and Canada. Previous intelligence indicates that Anubis affiliates receive up to 80 percent of ransom payments, while the group also deploys a destructive data wiping feature that intensifies pressure on victims by rendering files unreadable even after ransom attempts.

Recent intrusions linked to Anubis have combined exploitation of Citrix Bleed 2 with the use of valid VPN credentials, though the origin of these credentials remains unclear. Researchers suggest they may have been obtained through prior breaches, initial access brokers, credential stuffing, or information stealer malware. Arctic Wolf also observed malicious VPN logins via Cisco AnyConnect originating from hosting providers such as AS20473 The Constant Company and AS55286 ServerMania. Once inside, attackers used RDP and SMB for lateral movement, followed by PsExec service creation and deployment of RMM tools to maintain stealthy access. In some cases, Cloudflare Tunnel infrastructure using cloudflared was configured to establish encrypted communication channels between victim environments and attacker systems. The attackers then escalated activity by harvesting credentials, deploying tools such as S3 Browser, rclone, s5cmd, WinSCP, and PuTTY for data transfer, and disabling security controls including Windows Defender real time protection and Sophos components, while also clearing logs to hinder forensic investigation.

Another ransomware ecosystem identified in parallel activity is The Gentlemen group, which has been observed using a Go based backdoor and exploiting both known vulnerabilities and stolen credentials to infiltrate enterprise networks. Kaspersky reports that this group employs a bring your own vulnerable driver technique to bypass security controls and achieve kernel level access. The backdoor communicates with external infrastructure at 81.177.215.15:9443 using a bidirectional TCP connection, executing commands via cmd.exe or establishing SOCKS proxy channels depending on operator instructions. Expel researchers also highlighted that The Gentlemen group has weaponized a zero day vulnerability in the ktapi.sys driver associated with Kontron API components, enabling them to disable endpoint security products from vendors including Microsoft, ESET, Palo Alto Networks, and SentinelOne. Analysts note that BYOVD techniques continue to present a significant risk to enterprise environments as they allow attackers to bypass even fully updated operating systems and disable advanced security protections.

Further analysis from Sophos Counter Threat Unit highlights collaboration between VECT and TeamPCP ransomware operations, which have combined supply chain credential theft with ransomware deployment across multiple compromised environments. The partnership enables VECT to deploy ransomware across victims affected by Trivy and LiteLLM supply chain attacks, while TeamPCP has previously operated under the CipherForce brand before rebranding its leak infrastructure. Researchers also found technical weaknesses in VECT encryptor logic that may permanently destroy files larger than 128 KB instead of encrypting them, though operators deny using the affected tool. In addition, the FBI has warned that supply chain driven campaigns linked to TeamPCP involve data exfiltration, extortion, and collaboration with other threat groups, with stolen credentials remaining a long term risk as they are often reused in later stages of attacks across enterprise environments.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Post Comment