Citrix, Kontron, The Gentlemen RaaS Victims and Anubis Ransomware Victims: Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Citrix, Kontron, The Gentlemen RaaS Victims and Anubis Ransomware Victims: Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Anubis Ransomware Exploits Citrix Bleed 2 in Targeted Attacks Across Critical Sectors

Threat actors linked to the Anubis ransomware-as-a-service (RaaS) operation are actively exploiting CVE-2025-5777 (Citrix Bleed 2), a critical vulnerability in Citrix NetScaler ADC and Gateway, to gain initial access to victim networks. According to a report by Arctic Wolf, attackers leverage legitimate Remote Management and Monitoring (RMM) tools including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment to blend in with normal IT activity while maintaining persistent control.

Anubis, a rebrand of the Sphinx ransomware, emerged in late 2024 and was formally announced on the RAMP underground forum in February 2025. Since then, the group has claimed 91 victims on its data leak site, with 11 reported in June 2026 alone. Targeted sectors include healthcare, business services, manufacturing, technology, and financial services, with over 50% of victims based in the U.S., followed by the U.K., Australia, France, and Canada.

The group employs aggressive tactics, including an irreversible data-wiping feature that reduces files to 0 KB regardless of ransom payment, increasing pressure on victims. Affiliates receive 80% of ransom payments, a lucrative incentive that has fueled the operation’s growth. Beyond Citrix Bleed 2, Anubis actors have also used stolen VPN credentials potentially sourced from initial access brokers, credential stuffing, or info-stealer malware to breach networks via Cisco AnyConnect VPNs, particularly through hosting providers like AS20473 (The Constant Company) and AS55286 (ServerMania).

Once inside, attackers move laterally using RDP and PsExec, deploy RMM tools for persistence, and exfiltrate data via Cloudflare Tunnels, S3 Browser, rclone, s5cmd, WinSCP, and PuTTY. They also disable security defenses, including Windows Defender and Sophos, and manipulate logs to hinder forensic analysis. In some cases, the ransomware encryptor is deleted post-execution, further complicating detection.

The Gentlemen RaaS and Zero-Day Exploits

Separately, Kaspersky detailed The Gentlemen RaaS, which exploits known vulnerabilities and weak credentials to deploy a Go-based backdoor for remote command execution. The malware collects system data, exfiltrates it to 81.177.215[.]15:9443, and can establish a SOCKS proxy for network pivoting. The group has also weaponized a zero-day vulnerability in ktapi.sys, a Kontron driver, to bypass Windows security protections and terminate processes from Microsoft, ESET, Palo Alto Networks, and SentinelOne.

VECT and TeamPCP’s Supply Chain-Ransomware Hybrid

A Sophos investigation revealed a partnership between VECT and TeamPCP, announced in March 2026, combining supply chain credential theft with ransomware deployment. TeamPCP, previously operating as CipherForce, rebranded after listing six victims in February 2026. However, VECT’s encryptor contains critical flaws, destroying files larger than 128 KB instead of encrypting them a defect TeamPCP claims it never used in attacks.

The alliance represents a shift toward industrialized ransomware deployment, lowering the barrier for cybercriminals by merging large-scale supply chain attacks with mature RaaS operations. Despite technical shortcomings, the model poses a growing threat to enterprises.

Source: https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html

Citrix cybersecurity rating report: https://www.rankiteo.com/company/citrix

GuidePoint Security cybersecurity rating report: https://www.rankiteo.com/company/guidepointsec

Kontron Europe cybersecurity rating report: https://www.rankiteo.com/company/kontron

Arctic Wolf cybersecurity rating report: https://www.rankiteo.com/company/arcticwolf

"id": "CITGUIKONARC1783031139",
"linkid": "citrix, guidepointsec, kontron, arcticwolf",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': ['Healthcare',
                                     'Business Services',
                                     'Manufacturing',
                                     'Technology',
                                     'Financial Services'],
                        'location': ['U.S.',
                                     'U.K.',
                                     'Australia',
                                     'France',
                                     'Canada'],
                        'type': ['Healthcare',
                                 'Business Services',
                                 'Manufacturing',
                                 'Technology',
                                 'Financial Services']}],
 'attack_vector': ['Exploitation of CVE-2025-5777 (Citrix Bleed 2)',
                   'Stolen VPN credentials',
                   'Initial access brokers',
                   'Credential stuffing',
                   'Info-stealer malware'],
 'data_breach': {'data_encryption': True,
                 'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally identifiable '
                                              'information',
                                              'Payment information',
                                              'Sensitive corporate data']},
 'description': 'Threat actors linked to the Anubis ransomware-as-a-service '
                '(RaaS) operation are actively exploiting CVE-2025-5777 '
                '(Citrix Bleed 2), a critical vulnerability in Citrix '
                'NetScaler ADC and Gateway, to gain initial access to victim '
                'networks. Attackers leverage legitimate Remote Management and '
                'Monitoring (RMM) tools to blend in with normal IT activity '
                'while maintaining persistent control. The group employs '
                'aggressive tactics, including an irreversible data-wiping '
                'feature that reduces files to 0 KB regardless of ransom '
                'payment. Affected sectors include healthcare, business '
                'services, manufacturing, technology, and financial services, '
                'with over 50% of victims based in the U.S.',
 'impact': {'brand_reputation_impact': True,
            'data_compromised': True,
            'identity_theft_risk': True,
            'operational_impact': 'Disruption of services, lateral movement '
                                  'within networks, disabling of security '
                                  'defenses',
            'payment_information_risk': True,
            'systems_affected': ['Citrix NetScaler ADC and Gateway',
                                 'VPN systems (Cisco AnyConnect)',
                                 'Windows systems']},
 'initial_access_broker': {'backdoors_established': True,
                           'entry_point': ['Citrix Bleed 2 (CVE-2025-5777)',
                                           'Stolen VPN credentials']},
 'motivation': ['Financial gain', 'Data exfiltration', 'Extortion'],
 'post_incident_analysis': {'root_causes': ['Exploitation of unpatched '
                                            'vulnerabilities (Citrix Bleed 2, '
                                            'ktapi.sys zero-day)',
                                            'Use of stolen credentials',
                                            'Lack of multi-factor '
                                            'authentication (MFA) on VPNs']},
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': ['Anubis', 'The Gentlemen RaaS', 'VECT']},
 'references': [{'source': 'Arctic Wolf'},
                {'source': 'Kaspersky'},
                {'source': 'Sophos'},
                {'source': 'RAMP underground forum'}],
 'response': {'third_party_assistance': ['Arctic Wolf', 'Kaspersky', 'Sophos']},
 'threat_actor': ['Anubis Ransomware Group',
                  'The Gentlemen RaaS',
                  'VECT',
                  'TeamPCP'],
 'title': 'Anubis Ransomware Exploits Citrix Bleed 2 in Targeted Attacks '
          'Across Critical Sectors',
 'type': 'Ransomware',
 'vulnerability_exploited': ['CVE-2025-5777 (Citrix Bleed 2)',
                             'Zero-day vulnerability in ktapi.sys (Kontron '
                             'driver)']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.