Key Takeaways

  • Arctic Wolf reports that Anubis affiliates are actively exploiting Citrix Bleed 2, also tracked as CVE-2025-5777
  • Sophos links the VECT and TeamPCP alliance to broader supply-chain credential theft and ransomware expansion
  • Kaspersky and Expel highlight The Gentlemen group's use of a Go backdoor and a BYOVD zero day to escalate attacks

Threat groups often evolve in parallel, with recent investigations from Arctic Wolf, Kaspersky, Sophos, and Expel pointing to a rise in blended exploitation techniques. These campaigns rely on legitimate access pathways, authentication bypass vulnerabilities, and supply-chain sourced credentials to establish and maintain network access.

Arctic Wolf's newest reporting centers on Anubis, a ransomware-as-a-service group that first emerged in late 2024 as a rebrand of Sphinx ransomware. Findings show that Anubis affiliates are actively exploiting Citrix Bleed 2 (CVE-2025-5777), a critical flaw in Citrix NetScaler ADC and Gateway appliances. The vulnerability has a CVSS score of 9.3 and enables session hijacking when the appliance is deployed as a Gateway or AAA virtual server. Because the flaw exists in authentication flows, it complicates detection and allows attackers to bypass normal login requirements.

The progression of these intrusions follows a predictable structure, even if individual affiliates vary their specific tactics. Initial access often involves valid VPN credentials, including Cisco AnyConnect logins. According to Arctic Wolf, some of these logins originated from hosting providers such as AS20473, known as The Constant Company, and AS55286, branded as ServerMania. In other cases, initial entry was obtained by exploiting Citrix Bleed 2 directly. Both paths demonstrate how credential exposure and unpatched infrastructure directly facilitate initial access.

The IEEE has discussed in several papers the increased overlap between traditional remote access tools and adversary tradecraft as attackers seek to remain hidden during lateral movement. This aligns with Anubis's observed use of ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment. These utilities blend into legitimate IT operations and allow remote command execution while minimizing endpoint visibility across multiple affiliate campaigns.

After establishing a foothold, attackers typically pivot using RDP and PsExec. These techniques set the stage for installing additional remote management utilities, establishing Cloudflare Tunnel connections, and preparing the environment for staged exfiltration. Tools such as S3 Browser, rclone, s5cmd, WinSCP, and PuTTY frequently appear in the final phases before deployment of the encryptor. Alongside this activity, Anubis operators impair system defenses by disabling Windows Defender real-time protection and initiating SophosUninstall functionality. In some observed incidents, the encryptor binary was removed after execution to hinder forensic recovery.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-5777 to its Known Exploited Vulnerabilities catalog, directing federal agencies and private organizations to prioritize patching. The attack surface is extensive; Censys recently reported nearly 70,000 exposed NetScaler Gateway and ADC instances online. Analyst findings from IDC indicate that enterprises continue to struggle with patch prioritization when flaws impact widely deployed remote access infrastructure, expanding the window of opportunity for groups like Anubis.

Kaspersky has been tracking a separate threat actor known as The Gentlemen group, whose operators deploy a Go-based backdoor that maintains a bidirectional TCP connection to an external server. Instead of relying exclusively on legitimate RMM tooling, this implant can perform command execution, establish a SOCKS proxy, and handle reconnaissance and data exfiltration. The group subsequently leverages a bring your own vulnerable driver (BYOVD) technique. According to Expel, the vulnerable driver utilized is ktapi.sys, part of an API from Kontron. This enables kernel-level access and allows attackers to disable security processes tied to vendors including Microsoft, ESET, Palo Alto Networks, and SentinelOne.

Sophos Counter Threat Unit has analyzed the partnership between VECT and TeamPCP. This alliance, announced in March 2026, combines the fallout of the Trivy and LiteLLM supply chain attacks with ransomware deployment operations. While VECT's encryptor contains implementation flaws that can permanently destroy files larger than 128 KB, the partnership signals a shift toward industrialized ransomware operations. It reflects observations from market watchers like Deloitte that attacker collaboration is becoming increasingly structured and specialized.

Attackers are gravitating toward methods that operate within normal administrative channels while integrating the targeted exploitation of high-impact vulnerabilities like CVE-2025-5777. Treating remote access tooling, identity sprawl, and patch management as isolated categories obscures visibility, as a single exposed Citrix appliance or leaked VPN credential can rapidly cascade into a full-scale ransomware deployment.

Anubis affiliates, The Gentlemen group, and the VECT and TeamPCP partnership demonstrate diverse routes to ransomware deployment. The convergence of supply-chain credential exposure, authentication bypass flaws, and multi-stage remote access tooling continues to dictate how ransomware campaigns operate, necessitating strict controls and continuous monitoring of legitimate administrative utilities.