Close Menu
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) Instagram Threads
Ransomnews
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) LinkedIn
Ransomnews
Cybercrime

Anubis ransomware is exploiting Citrix Bleed 2 for access

Ransomnews Research TeamBy Ransomnews Research TeamJuly 10, 2026Updated:July 10, 2026No Comments5 Mins Read18 Views
Share Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Anubis ransomware is exploiting Citrix Bleed 2 for access, ransomnews.com
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

Anubis ransomware affiliates are exploiting Citrix Bleed 2 (CVE-2025-5777) to break into corporate networks, according to a July 2026 report from Arctic Wolf. Once inside, the affiliates lean almost entirely on legitimate remote-management tools to blend in with normal IT activity, move laterally over RDP and PsExec, exfiltrate data with off-the-shelf cloud utilities, and in some cases trigger an irreversible wiper that zeroes files whether or not the ransom is paid. Anubis has claimed 91 victims on its leak site, 11 of them in June 2026 alone.

The campaign is a textbook example of the “live off the land” tradecraft defining ransomware in 2026: exploit an exposed edge appliance, then do everything else with tools that look like the victim’s own IT stack. That combination makes detection hard and forces defenders back to fundamentals. Here is how the intrusions run and what stops them.

Who is Anubis?

Anubis is a ransomware-as-a-service operation that first appeared in late 2024 as a rebrand of Sphinx ransomware and was formally announced on the RAMP underground forum in February 2025. Rubrik Zero Labs reported that Anubis advertises an aggressive 80% profit split to affiliates and pairs it with a data-wiping feature that raises the pressure to pay fast. According to Ransomware.live data cited by Arctic Wolf, the group has claimed 91 victims to date, with more than half in the United States, followed by the U.K., Australia, France, and Canada. Targeted sectors skew toward healthcare, business services, manufacturing, technology, and financial services. You can follow the group on the Ransomnews threat-group catalogue.

What is Citrix Bleed 2?

Citrix Bleed 2 is CVE-2025-5777, a critical flaw (CVSS 9.3) in Citrix NetScaler ADC and Gateway that lets an attacker bypass authentication when the appliance is configured as a Gateway or AAA virtual server. It echoes the original Citrix Bleed that fuelled a wave of 2023 ransomware intrusions. In the Anubis campaign, exploitation of CVE-2025-5777 sits alongside the use of valid VPN credentials, including Cisco AnyConnect logins seen coming from hosting providers. The source of those credentials is not confirmed, but Arctic Wolf notes they were likely bought from initial access brokers or harvested by infostealers. Exposed edge devices remain the single most reliable ransomware entry point, a pattern we documented in the FortiBleed investigation.

How does the attack chain work?

After gaining access through Citrix Bleed 2 or valid VPN logins, affiliates authenticate over RDP and SMB, then use PsExec service creation to move laterally. They deploy legitimate remote-management and monitoring tools for persistent access, ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment, so their activity resembles routine administration. Some intrusions configure a Cloudflare Tunnel (cloudflared) to reach into the environment over HTTPS. Data is exfiltrated with S3 Browser, rclone, s5cmd, WinSCP, and PuTTY before the encryptor runs.

Anubis intrusion chain Access Citrix Bleed 2 CVE-2025-5777 Valid VPN logins Lateral move RDP + SMB PsExec RMM tools Evasion Disable Defender SophosUninstall Clear logs Exfil rclone, s5cmd S3 Browser WinSCP Impact Encrypt /WIPEMODE 0 KB files Everything after initial access uses legitimate admin tooling to blend in. Source: Arctic Wolf, Rubrik Zero Labs, July 2026

Why is the wiper the real threat?

Anubis carries a destructive option that changes the calculus for victims. When its /WIPEMODE module runs, files stay in their directories but are reduced to 0 KB regardless of any ransom payment. As Rubrik put it, knowing operators can revert an environment to that scorched-earth state with a single command significantly increases pressure to pay before the wiper fully activates. This is the same trend Ransomnews has tracked toward extortion where recovery is off the table: if paying cannot reliably restore the data, the threat is really about leverage and destruction, not decryption.

What should defenders do now?

Patch NetScaler against CVE-2025-5777 immediately and treat any Citrix Gateway as a priority asset, because it is the front door here. Beyond the patch, the defensive job is spotting legitimate tools used illegitimately: alert on unexpected RMM installs (ScreenConnect, Zoho Assist, MeshAgent), on cloudflared appearing in server environments, and on cloud-transfer utilities like rclone and s5cmd running where they have no business. Rotate VPN credentials and assume any that appear in stealer logs are compromised. Because Anubis can wipe as well as encrypt, offline, immutable backups are the control that matters most: they are the only thing that survives a /WIPEMODE command.

Frequently asked questions

What is Citrix Bleed 2?

Citrix Bleed 2 is CVE-2025-5777, a critical authentication-bypass flaw in Citrix NetScaler ADC and Gateway. Attackers use it to bypass login when the appliance runs as a Gateway or AAA virtual server.

Who is behind the Anubis ransomware?

Anubis is a ransomware-as-a-service group that emerged in late 2024 as a rebrand of Sphinx and was announced on the RAMP forum in February 2025. It offers affiliates an 80% profit split.

What makes Anubis different from other ransomware?

Anubis includes a /WIPEMODE feature that reduces files to 0 KB regardless of payment. That destructive capability is designed to pressure victims into paying before the wiper fully runs.

How do Anubis affiliates avoid detection?

They rely on legitimate remote-management tools such as ScreenConnect, Zoho Assist, and MeshAgent, plus RDP, PsExec, and Cloudflare tunnels, so their activity blends in with normal IT administration.

How do I protect against this campaign?

Patch NetScaler against CVE-2025-5777, rotate VPN credentials, alert on unexpected RMM and cloud-transfer tools, and keep offline immutable backups that survive the wiper.

Sources and further reading

  • Arctic Wolf: CitrixBleed 2 to cloudflared, the tools behind Anubis attacks
  • The Hacker News: Ransomware groups turn to Citrix Bleed 2, BYOVD, and supply chain credentials
  • Rubrik Zero Labs: Anubis ransomware and the /WIPEMODE wiper
  • Ransomnews: FortiBleed: 75,000 cracked Fortinet firewalls
  • Ransomnews: Initial Access Brokers 2026
Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email Copy Link
Previous ArticleKairos took $1M from a US government body and encrypted nothing
Next Article The Gentlemen weaponised a Kontron driver to kill EDR
Ransomnews Research Team

The Ransomnews Research Team is the collective byline used for collaborative pieces, editorial briefings, and articles drawing on contributions from multiple researchers. Coverage spans ransomware operations, breach economics, threat actor profiling, OSINT methodology, and emerging risks across security, privacy, and AI.

Related Posts

Kairos took $1M from a US government body and encrypted nothing

July 10, 2026

XSS forum: from DaMaGeLaB to the 2025 takedown

June 29, 2026

1.16 billion attacks: how the FortiBleed crew broke FortiGate

June 19, 2026

Comments are closed.

Facebook X (Twitter) LinkedIn
© 2026 Ransomnews.com

Type above and press Enter to search. Press Esc to cancel.

Cookies on Ransomnews

We use strictly-necessary cookies to run the site and may use first-party analytics to understand which articles are read. Some pages contain affiliate links — when you click one, the affiliate network sets cookies on the merchant's domain to attribute the referral. See the Cookie Policy and Affiliate Disclosure for detail.

RANSOMNEWS.COM

Tracking the criminal infrastructure of the internet.

Independent coverage of ransomware, breach economics, threat actors, privacy, AI security, and the open-source investigation toolkit.

// Topics

  • News
  • Security
  • Privacy
  • Cybercrime
  • AI
  • OSINT
  • Threat Groups
  • Stealer Logs
  • Ransomtracker
  • Stealercheck
  • FortiBleed Checker

// Site

  • About Us
  • Editorial Team
  • Contact
  • Tip Line
  • Editorial

// Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Funding & Independence
  • RSS Feed
© 2026 Ransomnews.com · Tracking the criminal infrastructure of the internet.