Overview
Threat actors operating under the Anubis ransomware operation have been observed pivoting to a multi-vector attack strategy that combines exploitation of the Citrix Bleed 2 vulnerability (CVE-2025-5777) with Bring Your Own Vulnerable Driver (BYOVD) techniques and credential theft via compromised supply chain software. Security researchers have documented the campaign targeting enterprise environments across multiple sectors.
Citrix Bleed 2 (CVE-2025-5777)
The campaign's initial access vector centers on CVE-2025-5777, dubbed "Citrix Bleed 2" — a critical vulnerability in Citrix NetScaler ADC and Gateway products that mirrors the devastating Citrix Bleed bug (CVE-2023-4966) from 2023. Like its predecessor, this vulnerability allows attackers to leak session tokens from vulnerable appliances, effectively bypassing authentication entirely and hijacking authenticated sessions without needing valid credentials.
Organizations that have not patched their NetScaler deployments remain exposed to unauthenticated session token extraction, giving ransomware affiliates a reliable, low-complexity entry point into enterprise environments.
Attack Chain and Tradecraft
Researchers noted that while tactics differ between Anubis affiliates, several common patterns emerged:
Initial Access
- Exploitation of CVE-2025-5777 to obtain valid session tokens from Citrix ADC/Gateway appliances
- Use of stolen supply chain credentials — credentials harvested from compromised software vendors, managed service providers, or third-party tooling
Lateral Movement and Persistence
- Deployment of legitimate Remote Management and Monitoring (RMM) tools for persistent access and command-and-control, blending malicious activity with normal IT traffic
- BYOVD (Bring Your Own Vulnerable Driver) attacks to disable endpoint detection and response (EDR) solutions — attackers load a legitimate but known-vulnerable kernel driver to gain kernel-level execution and blind security tools
Credential Harvesting
- Credential dumping from Active Directory environments post-compromise
- Extraction and weaponization of supply chain credentials to move laterally across connected organizations
Ransomware Deployment
- File encryption and exfiltration for double-extortion following dwell time averaging multiple days
Why This Campaign Is Significant
The combination of these three tactics represents a maturation of ransomware affiliate tradecraft:
| Tactic | Purpose |
|---|---|
| Citrix Bleed 2 exploitation | Reliable, unauthenticated initial access to large enterprises |
| Supply chain credentials | Broad blast radius — one supplier compromise = many victims |
| BYOVD | EDR evasion — neutralizes most endpoint security tools |
| Legitimate RMM tools | Defense evasion — traffic blends with normal IT operations |
By chaining these techniques, affiliates significantly increase their odds of successful encryption and reduce the chance of detection before ransom demands are delivered.
Affected Organizations
The Anubis ransomware operation operates as a Ransomware-as-a-Service (RaaS) platform, meaning multiple affiliates customize and deploy the malware independently. Organizations at highest risk include:
- Those running unpatched Citrix NetScaler ADC or Gateway appliances
- Companies relying on managed service providers or third-party software vendors with broad network access
- Environments with immature EDR coverage or gaps in driver allowlisting policies
Recommendations
- Patch Citrix NetScaler immediately — Apply the vendor-issued patch for CVE-2025-5777; also audit for CVE-2023-4966 if not already remediated
- Audit RMM tool usage — Establish an approved list of RMM tools; alert on any unauthorized RMM software execution
- Implement driver allowlisting — Use Windows Defender Application Control (WDAC) or equivalent to block known-vulnerable drivers (reference the Microsoft BYOVD blocklist)
- Review supply chain access — Audit third-party vendor credentials and enforce MFA; limit vendor access to only required systems
- Hunt for indicators — Search for signs of Citrix session token exfiltration in ADC/Gateway logs; look for unusual kernel driver loads in EDR telemetry
- Segment and monitor — Ensure network segmentation prevents lateral movement; deploy deception technologies to detect post-exploitation activity