Threat actors linked to the Anubis ransomware operation are exploiting CVE-2025-5777 (Citrix Bleed 2) and stolen VPN credentials to gain access, then using legitimate RMM tools and living-off-the-land tactics to move laterally, steal data, and deploy ransomware. The report also details The Gentlemen’s use of a Go backdoor and BYOVD techniques, plus the VECT and TeamPCP partnership that combines supply-chain credential theft with ransomware attacks. #Anubis #CitrixBleed2 #CVE20255777 #TheGentlemen #VECT #TeamPCP #RAMP #ScreenConnect #ZohoAssist #MeshAgent #Remotely #UltraVNC #TotalSoftwareDeployment #CiscoAnyConnect #cloudflared
Keypoints
- Anubis affiliates are exploiting Citrix Bleed 2 to obtain initial access.
- They abuse legitimate RMM tools to maintain stealthy control of victim systems.
- Stolen VPN credentials, RDP, SMB, and PsExec are used for lateral movement and credential access.
- The Gentlemen is using a Go backdoor and BYOVD to bypass defenses and execute commands.
- VECT and TeamPCP are combining supply-chain credential theft with ransomware deployment.
Read More: https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html