← Back to blog

Ransomware Groups Exploit Citrix Bleed 2 and BYOVD Tactics for Enterprise Access

Anubis ransomware operators are leveraging the Citrix Bleed 2 vulnerability (CVE-2025-5777) combined with legitimate RMM tools and supply chain credentials to breach enterprise networks. Security teams must prioritize patching and monitoring for these converging attack vectors.

TL;DR

  • Anubis ransomware affiliates actively exploit Citrix Bleed 2 (CVE-2025-5777) for initial network access
  • Threat actors abuse legitimate Remote Management and Monitoring (RMM) tools to evade detection during lateral movement
  • Supply chain credential theft and Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques enable privilege escalation
  • Hands-on-keyboard operations indicate sophisticated, manual post-exploitation workflows targeting high-value assets

Threat actors affiliated with the Anubis ransomware operation have been observed systematically exploiting the Citrix Bleed 2 vulnerability to establish initial footholds in enterprise environments. This campaign demonstrates a coordinated shift toward combining known vulnerabilities with legitimate system administration tools to bypass traditional security controls.

The attack chain reflects a mature operational model where multiple techniques converge: vulnerability exploitation for entry, credential harvesting from supply chain partners, and abuse of trusted RMM platforms for persistence and lateral movement. This layered approach significantly increases the difficulty of detection and response for security teams.

Attack Chain: From Citrix Bleed 2 to Lateral Movement

  • CVE-2025-5777 (Citrix Bleed 2) serves as the primary initial access vector for Anubis affiliates
  • Legitimate RMM tools (TeamViewer, AnyDesk, ConnectWise) are repurposed post-compromise to maintain persistence
  • Hands-on-keyboard operations enable manual reconnaissance and targeted lateral movement within networks
  • Supply chain credentials obtained through prior breaches or phishing are leveraged to access partner systems

Privilege Escalation and Evasion Tactics

  • Bring-Your-Own-Vulnerable-Driver (BYOVD) exploits enable kernel-level privilege escalation while bypassing EDR solutions
  • Use of legitimate administrative tools reduces behavioral anomalies and lowers detection rates
  • Credential access techniques target both direct employees and third-party vendors with network access
  • Affiliate variation in tradecraft suggests a flexible operational model adapted to target-specific environments

Defensive Recommendations for Security Teams

  • Prioritize patching of Citrix systems; implement network segmentation to limit Citrix exposure
  • Monitor and restrict RMM tool usage; deploy application whitelisting and behavioral analytics for RMM processes
  • Implement credential hygiene programs and supply chain access reviews to reduce lateral movement risk
  • Deploy kernel-mode driver monitoring and BYOVD detection signatures in endpoint protection solutions
  • Conduct tabletop exercises simulating multi-stage ransomware campaigns to test detection and response capabilities

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

Ransomware Groups Exploit Citrix Bleed 2 and BYOVD Tactics for Enterprise Access — Agent Breach Blog | Agent Breach