Anubis Ransomware Exploits Citrix Bleed 2, Abuses Legitimate RMM Tools for Lateral Movement
Anubis RaaS affiliates leverage CVE-2025-5777 and supply chain credentials to gain initial access, then deploy legitimate remote management tools for persistent control and data exfiltration.
Attack Brief
TargetCitrix NetScaler ADC and Gateway; enterprise networks across healthcare, business services, manufacturing, technology, and financial servicesVectorCVE-2025-5777 exploitation for authentication bypass; valid VPN credentials; abuse of legitimate RMM tooling (ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, Total Software Deployment); lateral movement via RDP and PsExecAttributionAnubis ransomware-as-a-service operation (rebrand of Sphinx ransomware, emerged late 2024)
Technical Details
CVE IDsCVE-2025-5777MITRE ATT&CKT1190T1078T1570T1021.001T1021.006T1041AffectedCitrix NetScaler ADC and Gateway configured as Gateway or AAA virtual server
Impact
Affected Organisations91 victims claimed on Anubis data leak site; 11 victims reported in June 2026 aloneSectorshealthcarebusiness servicesmanufacturingtechnologyfinancial servicesConfirmed DamageData exfiltration; /WIPEMODE module reduces files to 0 KB size regardless of ransom paymentGeographyUnited States (>50% of victims)United KingdomAustraliaFranceCanada
Mitigation
DetectionMonitor for CVE-2025-5777 exploitation attempts against Citrix NetScaler appliances; detect VPN authentication from hosting ASNs (AS20473, AS55286); identify RDP/SMB login chains followed by RMM tool deployment; monitor for PsExec service creation and cloudflared tunnel establishment
Context
Previous CampaignsAnubis formally announced on RAMP underground forum in February 2025; advertises 80% profit splits to affiliates; features irreversible data-wiping capability to increase ransom pressure