Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
NEWS

Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Anubis ransomware affiliates are exploiting CVE-2025-5777 (Citrix Bleed 2) for initial access while pairing BYOVD techniques and stolen supply chain...

Dylan H.

News Desk

July 2, 2026
4 min read

Overview

Threat actors operating under the Anubis ransomware operation have been observed pivoting to a multi-vector attack strategy that combines exploitation of the Citrix Bleed 2 vulnerability (CVE-2025-5777) with Bring Your Own Vulnerable Driver (BYOVD) techniques and credential theft via compromised supply chain software. Security researchers have documented the campaign targeting enterprise environments across multiple sectors.

Citrix Bleed 2 (CVE-2025-5777)

The campaign's initial access vector centers on CVE-2025-5777, dubbed "Citrix Bleed 2" — a critical vulnerability in Citrix NetScaler ADC and Gateway products that mirrors the devastating Citrix Bleed bug (CVE-2023-4966) from 2023. Like its predecessor, this vulnerability allows attackers to leak session tokens from vulnerable appliances, effectively bypassing authentication entirely and hijacking authenticated sessions without needing valid credentials.

Organizations that have not patched their NetScaler deployments remain exposed to unauthenticated session token extraction, giving ransomware affiliates a reliable, low-complexity entry point into enterprise environments.

Attack Chain and Tradecraft

Researchers noted that while tactics differ between Anubis affiliates, several common patterns emerged:

Initial Access

  • Exploitation of CVE-2025-5777 to obtain valid session tokens from Citrix ADC/Gateway appliances
  • Use of stolen supply chain credentials — credentials harvested from compromised software vendors, managed service providers, or third-party tooling

Lateral Movement and Persistence

  • Deployment of legitimate Remote Management and Monitoring (RMM) tools for persistent access and command-and-control, blending malicious activity with normal IT traffic
  • BYOVD (Bring Your Own Vulnerable Driver) attacks to disable endpoint detection and response (EDR) solutions — attackers load a legitimate but known-vulnerable kernel driver to gain kernel-level execution and blind security tools

Credential Harvesting

  • Credential dumping from Active Directory environments post-compromise
  • Extraction and weaponization of supply chain credentials to move laterally across connected organizations

Ransomware Deployment

  • File encryption and exfiltration for double-extortion following dwell time averaging multiple days

Why This Campaign Is Significant

The combination of these three tactics represents a maturation of ransomware affiliate tradecraft:

TacticPurpose
Citrix Bleed 2 exploitationReliable, unauthenticated initial access to large enterprises
Supply chain credentialsBroad blast radius — one supplier compromise = many victims
BYOVDEDR evasion — neutralizes most endpoint security tools
Legitimate RMM toolsDefense evasion — traffic blends with normal IT operations

By chaining these techniques, affiliates significantly increase their odds of successful encryption and reduce the chance of detection before ransom demands are delivered.

Affected Organizations

The Anubis ransomware operation operates as a Ransomware-as-a-Service (RaaS) platform, meaning multiple affiliates customize and deploy the malware independently. Organizations at highest risk include:

  • Those running unpatched Citrix NetScaler ADC or Gateway appliances
  • Companies relying on managed service providers or third-party software vendors with broad network access
  • Environments with immature EDR coverage or gaps in driver allowlisting policies

Recommendations

  1. Patch Citrix NetScaler immediately — Apply the vendor-issued patch for CVE-2025-5777; also audit for CVE-2023-4966 if not already remediated
  2. Audit RMM tool usage — Establish an approved list of RMM tools; alert on any unauthorized RMM software execution
  3. Implement driver allowlisting — Use Windows Defender Application Control (WDAC) or equivalent to block known-vulnerable drivers (reference the Microsoft BYOVD blocklist)
  4. Review supply chain access — Audit third-party vendor credentials and enforce MFA; limit vendor access to only required systems
  5. Hunt for indicators — Search for signs of Citrix session token exfiltration in ADC/Gateway logs; look for unusual kernel driver loads in EDR telemetry
  6. Segment and monitor — Ensure network segmentation prevents lateral movement; deploy deception technologies to detect post-exploitation activity

References

  • The Hacker News — Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
  • Published: 2026-07-02
#Ransomware#Vulnerability#CVE#Supply Chain#Cybercrime#Citrix

Related Articles

Surge in Bomgar RMM Exploitation Demonstrates Supply Chain

A critical RCE flaw in BeyondTrust Bomgar remote monitoring and management software is being actively exploited to spread ransomware and compromise...

4 min read

AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack

Sysdig researchers documented the first fully autonomous AI-driven ransomware campaign, where threat actor JADEPUFFER used an AI agent to chain Langflow...

3 min read

BlueHammer Vulnerability Exploited in Ransomware Attacks Before Microsoft Patch

The Microsoft Defender vulnerability CVE-2026-33825 was actively exploited as a zero-day by ransomware groups before Microsoft had the chance to release a...

3 min read
Back to all News