Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access.

"Although tactics differ between affiliates, common patterns emerged in tradecraft through use of legitimate Remote Management and Monitoring (RMM) tooling, credential access, and hands-on-keyboard procedures used for lateral movement," Arctic Wolf said in a report published this week.

"Anubis affiliates repeatedly abused legitimate remote access and administration tools, including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment, to blend in with normal IT activity while maintaining control of victim systems."

Anubis is a ransomware-as-a-service (RaaS) group that first emerged in late 2024 as a rebrand of Sphinx ransomware. The ransomware operation was formally announced on the Ransomware and Advanced Malware Protection (RAMP) underground forum in February 2025. According to data from Ransomware.Live, the cybercrime crew has claimed 91 victims on its data leak site, with 11 victims reported in June 2026 alone.

Some of the prominent sectors targeted include healthcare, business services, manufacturing, technology, and financial services. More than 50% of the victims are located in the U.S., followed by the U.K., Australia, France, and Canada.

In a report published in July 2025, Rubrik Zero Labs said Anubis advertises attractive profit splits, offering affiliates 80% of the ransom amounts paid, and pairs it with an irreversible data-wiping feature that ups the pressure on victims to pay up.

"When Anubis's /WIPEMODE module is activated, files remain in directories but are reduced to a 0 KB size regardless of ransom payment," Rubrik noted at the time. "Knowing threat actors can revert victims' environments to this scorched-earth state with a single command significantly increases pressure on victims to pay before the wiper is fully activated."

The ransomware intrusions, observed this year, involve both valid VPN credential use and the exploitation of CVE-2025-5777 (CVSS score: 9.3), a critical flaw impacting Citrix NetScaler ADC and Gateway that could be abused by an attacker to bypass authentication when the appliance is configured as a Gateway or AAA virtual server.

The exact source of VPN credentials used in these intrusions is unknown. However, it's possible they were procured following prior compromise, or through initial access brokers (IABs), credential stuffing, or information stealer activity.

"In addition to CitrixBleed 2 exploitation, valid Cisco AnyConnect VPN logins were observed from several hosting ASNs, including AS20473 — The Constant Company and AS55286 — ServerMania," Arctic Wolf explained. "Malicious VPN authentication was then followed by login activity involving RDP and SMB, leading to credential access, PsExec service creation, RMM deployment, and ultimately invoking cloud-transfer tooling for exfiltration."

Lateral movement is facilitated via RDP and PsExec, which then leads to the deployment of various legitimate RMM tools for persistent access, granting the attackers the ability to transfer files and remotely execute code, while staying under the radar. Select intrusions also configure a Cloudflare Tunnel (aka cloudflared) to establish tunnels to victim environments.

The next phase of the attacks involves gathering credentials to facilitate deeper access to the compromised environment, after which tools like S3 Browser, rclone, s5cmd, WinSCP, and PuTTY are installed for data transfer or exfiltration prior to ransomware deployment. In parallel, steps are taken to impair system defenses and complicate post-incident analysis.

"These techniques included Windows Defender real-time protection disablement, SophosUninstall activity, PCHunter-related artifacts, and log clearing or manipulation across multiple systems," the cybersecurity company explained. "In at least one intrusion, an Anubis encryptor was deleted after execution, reducing the availability of on-disk payload artifacts for later analysis."

The Gentlemen's Go Backdoor and 0-Day Exploit Detailed

The disclosure comes as Kaspersky detailed The Gentlemen RaaS group's exploitation of known vulnerabilities and stolen or weak login credentials to breach targets and its use of a Go-based backdoor to enable remote command execution after reconnaissance, lateral movement through Group Policy or PsExec, and defense evasion using the bring your own vulnerable driver (BYOVD) technique.

The implant is designed to collect system information, exfiltrate it to an external server ("81.177.215[.]15:9443") over a bidirectional TCP connection, and await operator responses that are then executed on the host using "cmd.exe" if the response byte is "c." If the byte is "s," a SOCKS proxy connection is established.

"This functionality likely enables The Gentlemen's red team to pivot within the target network and expand their scan coverage," Kaspersky said. "Given the backdoor implant’s capabilities, such as establishing two-way communication, executing commands, setting up a SOCKS proxy, and gathering information, it's clear that it can also be used to expand the attack chain as needed."

According to Expel, the RaaS group has also weaponized a zero-day vulnerability in a little-known third-party vendor driver as part of its BYOVD arsenal to obtain kernel-level access, bypass Windows security protections, and kill protected security processes associated with Microsoft, ESET, Palo Alto Networks, and SentinelOne. The driver in question is ktapi.sys, which is part of an API developed by Kontron.

"It's still unclear how the threat actors came into possession of the file or gained knowledge of its vulnerability," Marcus Hutchins said. "BYOVD continues to be a huge threat to enterprises, enabling attackers to disable state-of-the-art endpoint security systems in seconds. Even using the latest Windows version, with all exploit mitigations enabled, does not provide complete protection."

VECT and TeamPCP's Ransomware Partnership

The findings also follow an investigation from Sophos Counter Threat Unit into the partnership between VECT and TeamPCP that was announced in March 2026 to combine supply chain attack-driven credential theft with ransomware deployment.

"The formal partnership between TeamPCP and VECT allows VECT to deploy ransomware across all organizations compromised in the Trivy and LiteLLM supply chain attacks," Sophos said in a report shared with The Hacker News. "Prior to the VECT partnership, TeamPCP was running another ransomware operation under the CipherForce brand. CipherForce listed six victims on its leak site in February 2026 and rebranded as a TeamPCP leak site in May."

Recent analyses from Check Point and JUMPSEC have found VECT to contain implementation flaws that cause any file larger than 128 KB to be permanently destroyed rather than encrypted, prompting TeamPCP to issue a statement stating they had never used VECT's encryptor in attacks. "We own CipherForce, our own private locker," the group claimed.

"The Vect/TeamPCP alliance represents a meaningful shift in the ransomware threat landscape, even accounting for the technical shortcomings that undermine its operational effectiveness," Sophos said.

"The convergence of large-scale supply chain credential theft, a maturing RaaS operation, and mass underground forum mobilization constitutes an unprecedented model of industrialized ransomware deployment that significantly lowers the barrier to entry for cybercrime."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.