Ransomware operators behind the Anubis operation have begun exploiting Citrix Bleed 2, a newly disclosed vulnerability tracked as CVE-2025-5777, to breach corporate networks and establish initial footholds for extortion attacks.
The threat group deploys varied tactics but follows consistent patterns across campaigns. Operators leverage legitimate Remote Management and Monitoring (RMM) tools to maintain persistence after gaining entry through the Citrix flaw. They escalate privileges using credential theft techniques and conduct hands-on-keyboard reconnaissance to move laterally across victim networks.
Citrix Bleed 2 allows attackers to extract sensitive session data and authentication tokens from vulnerable Citrix systems without authentication. The vulnerability poses immediate risk to organisations running unpatched Citrix NetScaler, Gateway, and SD-WAN appliances that serve as critical network perimeter controls. Organisations relying on these systems for remote access face exposure to rapid compromise chains.
The Anubis group's adoption of this vulnerability reflects a broader ransomware trend. Threat actors now weaponise recently disclosed CVEs faster than before, often within days of public disclosure. Supply chain credentials and BYOVD (Bring Your Own Vulnerable Driver) techniques complement the Citrix exploitation approach, enabling attackers to evade detection while moving through networks using legitimate administrative privileges.
RMM tool abuse presents a particular challenge for defenders. Tools like ConnectWise, AnyDesk, and similar solutions grant remote access capabilities that attackers exploit after credential compromise. Once established, these tools become effective backdoors requiring only valid credentials rather than malware detection signatures.
Organisations should prioritise patching Citrix systems immediately. Security teams should inventory all RMM tool deployments and restrict access through network segmentation and authentication controls. Monitoring for unusual RMM activity, especially outside business hours or
