Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
Threat actors linked to the Anubis ransomware operation are exploiting CVE-2025-5777 (Citrix Bleed 2) and stolen VPN credentials to gain access, then using legitimate RMM tools and living-off-the-land tactics to move laterally, steal data, and deploy ransomware. The report also details The Gentlemen’s use of a Go backdoor and BYOVD techniques, plus the VECT and TeamPCP partnership that combines supply-chain credential theft with ransomware attacks. #Anubis #CitrixBleed2 #CVE20255777 #TheGentlemen #VECT #TeamPCP #RAMP #ScreenConnect #ZohoAssist #MeshAgent #Remotely #UltraVNC #TotalSoftwareDeployment #CiscoAnyConnect #cloudflared

Keypoints

  • Anubis affiliates are exploiting Citrix Bleed 2 to obtain initial access.
  • They abuse legitimate RMM tools to maintain stealthy control of victim systems.
  • Stolen VPN credentials, RDP, SMB, and PsExec are used for lateral movement and credential access.
  • The Gentlemen is using a Go backdoor and BYOVD to bypass defenses and execute commands.
  • VECT and TeamPCP are combining supply-chain credential theft with ransomware deployment.

Read More: https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html