Anubis Affiliates Ride Citrix Bleed 2 Into Enterprise Networks

Ransomware crews are chaining CVE-2025-5777 with RMM tooling and stolen credentials to skip past MFA entirely.

ThreatVectr Newsdesk· 3 min read
Full-frame edge-to-edge photoreal editorial image of a dimly lit server rack in a data center with a single amber warning LED glowing on a network appliance, co
Share

Key points

  • Anubis ransomware affiliates are actively exploiting Citrix Bleed 2, tracked as CVE-2025-5777, for initial access into NetScaler ADC and Gateway appliances.
  • Affiliates are deploying legitimate Remote Management and Monitoring (RMM) tooling post-access to blend into normal admin traffic.
  • Operators are combining Citrix Bleed 2 exploitation with Bring Your Own Vulnerable Driver (BYOVD) techniques and supply-chain credential theft.
  • Citrix Bleed 2 leaks session material from unauthenticated appliance memory, allowing attackers to hijack authenticated sessions without triggering MFA.

Anubis is back on the initial-access treadmill, and this time the door is Citrix.

Affiliates tied to the ransomware operation are exploiting Citrix Bleed 2, the memory-disclosure flaw in NetScaler ADC and Gateway tracked as CVE-2025-5777, to plant themselves inside enterprise perimeters. The activity was flagged in reporting by The Hacker News summarizing observations across multiple incident responses.

The pattern will feel familiar to anyone who lived through the original Citrix Bleed in 2023. Send an unauthenticated request. Read whatever the appliance happens to leave in memory. Sift out a valid session token. Replay it.

That last step is the part defenders keep underestimating. When an attacker replays a stolen session cookie against a gateway, they inherit an already-authenticated context. There is no fresh login. There is no MFA prompt. The RFC 6749 refresh-token dance and any downstream OIDC assertions all sit downstream of that initial session, so multi-factor at the front door does nothing here. This is a session-hijack problem, not an auth problem.

Which is a polite way of saying: MFA would not have helped. Session binding might have.

What should defenders patch and hunt for first?

Citrix's fix for CVE-2025-5777 has been available since June, and the company's guidance is explicit that patching alone is insufficient — administrators must also terminate all active ICA and PCoIP sessions on affected appliances after upgrading. Anything less leaves hijacked tokens valid. Citrix's advisory lives at support.citrix.com.

Once inside, Anubis affiliates are reaching for legitimate tooling rather than dropping loud custom implants. Investigators have observed the use of commodity RMM software for persistence and lateral movement, which is a well-worn tradecraft choice because it dodges most EDR heuristics that key on unsigned binaries. If your allowlist blesses AnyDesk, ConnectWise, or Atera by default, an operator with a valid session and a domain foothold looks a lot like your MSP.

Credential access is the second act. Reports describe hands-on-keyboard operators pulling secrets from memory, browser stores, and, in some intrusions, third-party suppliers whose credentials granted onward access into the primary target. Supply-chain credential reuse is a recurring theme in 2025 ransomware casework.

The third ingredient is BYOVD. Affiliates are loading vulnerable signed drivers to disable or blind endpoint protection before executing the ransomware payload. Microsoft's vulnerable driver blocklist helps, if it is actually enabled — a check worth running today rather than assuming.

A short hunt list for identity teams:

  1. Review NetScaler appliance uptime. Any device that has not rebooted since the June patch window deserves scrutiny.
  2. Audit active ICA/PCoIP sessions and force termination if the appliance was patched without a session flush.
  3. Alert on RMM binaries executing from user profile paths or spawning cmd.exe and PowerShell with encoded arguments.
  4. Rotate credentials for any third-party integrator with standing access to Citrix-fronted environments.

Citrix Bleed 2 is not clever. It is just effective, because session tokens remain the softest tissue in the modern identity stack. Until session binding to device or client posture becomes the default rather than the exception, this class of bug will keep paying rent for ransomware crews.

© 2026 Threat Vectr