← All stories
● Covered by 1 source Β· 1 reportHigh impact

Anubis Ransomware Group Exploits Citrix Bleed 2 Vulnerability for Attacks

Aggregated by BrevFeed security Β· updated 4h ago
πŸ”– Save

The Anubis ransomware operation has been identified exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to gain access to targeted environments. This trend, utilizing legitimate remote access tools for lateral movement, highlights the evolving tactics of ransomware groups and the urgent need for organizations to address vulnerabilities.

Key points

Overview of Anubis Operations

The Anubis ransomware group, rebranded from Sphinx ransomware, has been actively exploiting the Citrix Bleed 2 vulnerability since early 2025. Their operations were formally announced on the RAMP underground forum, and they have targeted a range of sectors including healthcare and finance.

Exploitation of Citrix Bleed 2

CVE-2025-5777 is a critical vulnerability in Citrix NetScaler ADC and Gateway, with a CVSS score of 9.3. Attackers can exploit this flaw to bypass authentication during gateway configurations, leading to unauthorized access. Reports indicate that Anubis affiliates are using both this exploit and valid VPN credentials for their attacks.

Use of Legitimate Tools

Anubis affiliates are observed utilizing various legitimate remote management tools like ScreenConnect and Zoho Assist. This strategy allows them to blend their malicious activities with normal IT operations, making detection more challenging for security defenses.

Ransomware Business Model

Anubis offers affiliates an 80% profit share from ransom payments, enhancing its recruitment model for cybercriminals. Additionally, their deployment of the /WIPEMODE module, which zeroes files upon activation, increases pressure for victims to pay the ransom timely before irreversible data loss.

Industry Impact

The activities of Anubis underline the critical importance of promptly addressing vulnerabilities in widely used software. With a high percentage of their victims based in the U.S. and significant healthcare and financial sectors affected, robust security measures are increasingly necessary to mitigate risks associated with ransomware operations.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Reporting from

The Anubis ransomware operation has been identified exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to gain access to targeted environments. This trend, utilizing legitimate remote access tools for lateral movement, highlights the evolving tactics of ransomware groups and the urgent need for organizations to address vulnerabilities.