July 3, 2026
Ransomware’s New Playbook: Citrix Bleed 2, BYOVD Attacks, and Supply Chain Credentials
Ransomware groups are moving beyond simple encryption by combining edge-device exploitation, legitimate remote management tools, vulnerable…
By Germano Costi
15 min read
Ransomware groups are moving beyond simple encryption by combining edge-device exploitation, legitimate remote management tools, vulnerable drivers, credential theft, cloud exfiltration, and supply chain compromise.
Ransomware is no longer just about encrypting files.
That era is over.
Modern ransomware operations behave more like full intrusion ecosystems. They exploit internet-facing appliances. They buy or steal VPN credentials. They abuse legitimate remote management tools. They move laterally with administrative utilities. They disable endpoint detection. They exfiltrate data before encryption. They recruit affiliates. They weaponize supply chain compromise. They blend into normal IT activity.
The latest reporting around Anubis ransomware, The Gentlemen RaaS, VECT, and TeamPCP shows how fast the ransomware landscape is changing.
Three trends stand out.
First, ransomware affiliates are exploiting Citrix Bleed 2, tracked as CVE-2025–5777, to gain access to vulnerable Citrix NetScaler ADC and Gateway environments.
Second, ransomware operators are increasingly using BYOVD, or Bring Your Own Vulnerable Driver, to disable endpoint security products at the kernel level.
Third, ransomware crews are converting supply chain credential theft into large-scale extortion opportunities.
These are not isolated tactics.
They are pieces of the same strategic shift: ransomware actors are becoming more industrialized, more modular, and more dependent on access operations that happen long before encryption begins.
The real ransomware incident does not start when files are encrypted.
It starts when the attacker gets a credential, exploits an edge appliance, installs a remote access tool, disables security controls, or steals data.
Encryption is often the final visible stage.
The intrusion begins much earlier.
Why This Ransomware Wave Matters
The latest ransomware activity is important because it combines multiple high-risk techniques in one ecosystem.
Attackers are not relying on a single path.
They are using:
Citrix Bleed 2 exploitation.
Valid VPN credentials.
Remote Monitoring and Management tools.
RDP and SMB activity.
PsExec service creation.
Credential harvesting.
Cloud transfer tools.
Cloudflare tunnels.
BYOVD attacks.
EDR tampering.
Supply chain credential theft.
Data exfiltration before encryption.
This makes defense harder.
A security team may see a legitimate RMM tool and think it is normal administration.
They may see a valid VPN login and think it is an employee.
They may see PsExec and think it is IT maintenance.
They may see cloud transfer tools and think it is business data movement.
They may see a signed driver and assume it is trusted.
That is the problem.
Modern ransomware operators do not always look like malware at first. They often look like administrators.
Anubis Ransomware and Citrix Bleed 2
The Anubis ransomware operation has been observed exploiting Citrix Bleed 2, tracked as CVE-2025–5777, for initial access.
Citrix Bleed 2 affects Citrix NetScaler ADC and Citrix NetScaler Gateway when configured in certain gateway or authentication roles. The vulnerability has a high severity rating and can allow attackers to bypass authentication under specific conditions.
This matters because Citrix appliances often sit at the edge of the enterprise network.
They handle remote access.
They support VPN workflows.
They connect users to internal systems.
They are exposed to the internet.
That makes them attractive targets for ransomware affiliates.
If an attacker compromises an edge appliance, the perimeter becomes less meaningful. The attacker may gain a path into the internal environment without first compromising a workstation.
This is why vulnerabilities in VPNs, gateways, firewalls, identity proxies, and remote access systems are so dangerous. They are not just software flaws. They are access flaws.
For Anubis affiliates, Citrix Bleed 2 appears to be one of several access methods. Valid VPN credentials were also observed in intrusions, including Cisco AnyConnect logins from hosting providers.
That combination is important.
Ransomware actors do not care whether access comes from an exploit, a stolen password, an infostealer log, credential stuffing, or an initial access broker.
They care that access works.
Valid VPN Credentials: The Quiet Door
A valid VPN login can be more dangerous than a noisy exploit.
When attackers use real credentials, their activity may initially appear legitimate. The login may pass authentication. It may not trigger exploit signatures. It may look like a remote worker connecting from an unusual location.
But once inside, the attacker can begin hands-on-keyboard activity.
In the Anubis-linked intrusions, malicious VPN authentication was followed by activity involving RDP, SMB, credential access, PsExec, RMM deployment, and cloud-transfer tooling for exfiltration.
This is the classic ransomware progression.
Get in.
Explore.
Collect credentials.
Move laterally.
Establish persistence.
Disable defenses.
Steal data.
Deploy ransomware.
The initial VPN credential may have come from prior compromise, an infostealer infection, credential stuffing, phishing, or an initial access broker.
That uncertainty is part of the problem.
Organizations often focus on patching vulnerabilities but underestimate the risk of valid credentials already circulating in criminal markets.
A patched VPN is still dangerous if attackers have valid usernames, passwords, tokens, or session material.
Abuse of Legitimate RMM Tools
Anubis affiliates repeatedly abused legitimate Remote Monitoring and Management tools, including tools such as ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment.
This is one of the most important trends in ransomware.
RMM tools are designed for IT administration. They allow remote access, file transfer, command execution, troubleshooting, and system control.
For administrators, they are useful.
For attackers, they are perfect.
If a ransomware operator installs a known malware implant, security tools may detect it quickly. If the operator installs a legitimate RMM tool, the activity may blend into ordinary IT operations.
This creates a major detection challenge.
The question is no longer simply, "Is this tool malicious?"
The better question is, "Is this tool expected here, installed by the right team, at the right time, from the right source, with the right configuration?"
Legitimate tools become suspicious when they appear outside approved channels, run under unusual accounts, connect to unknown infrastructure, or appear shortly after suspicious VPN or RDP activity.
RMM abuse is not an exception anymore.
It is part of the ransomware playbook.
Lateral Movement With RDP, SMB, and PsExec
After initial access, ransomware operators need to expand control.
They often use tools already available inside Windows environments.
RDP allows interactive remote access.
SMB supports file sharing and administrative movement.
PsExec allows remote command execution and service creation.
These tools are commonly used by administrators, which makes them attractive to attackers.
In Anubis-linked intrusions, RDP and SMB activity led to credential access, PsExec service creation, RMM deployment, and later exfiltration.
This shows how ransomware groups use normal enterprise protocols to move.
They do not always need exotic malware.
They can use what the organization already trusts.
That is why defenders must monitor administrative behavior, not only malware signatures.
Unusual PsExec use, unexpected service creation, suspicious RDP paths, lateral SMB access, and credential dumping activity should be treated as high-priority signals.
Cloudflare Tunnels and Hidden Access
Some intrusions also involved Cloudflare Tunnel, also known as cloudflared, to establish tunnels into victim environments.
Tunneling tools are attractive because they can provide remote access without traditional inbound firewall rules. They allow attackers to create outbound connections from the victim environment to a cloud service, then access internal systems through that tunnel.
This can bypass assumptions about perimeter security.
If defenders only monitor inbound connections, they may miss outbound tunnel creation.
Cloudflare Tunnel is a legitimate service. Many organizations use it for secure access and application publishing.
But like many legitimate tools, it can be abused.
In ransomware investigations, unexpected tunnel binaries, unusual tunnel configurations, unknown cloudflared processes, and outbound connections to tunneling infrastructure should be reviewed carefully.
The presence of a tunnel may indicate the attacker wants durable access.
Data Exfiltration Before Encryption
Modern ransomware is usually double extortion.
Attackers do not only encrypt files.
They steal data first.
Then they threaten to publish it, sell it, or use it as leverage.
In the reported intrusions, attackers deployed cloud-transfer tools such as S3 Browser, rclone, s5cmd, WinSCP, and PuTTY to move or exfiltrate data before ransomware deployment.
This matters because encryption is not the only damage.
Even if backups work, stolen data may still create regulatory, legal, financial, and reputational consequences.
Organizations must therefore treat ransomware response as a data breach investigation.
The key questions are:
What data was accessed?
What data was staged?
What data was transferred?
Which accounts were used?
Which cloud destinations were contacted?
Were archives created?
Were sensitive directories enumerated?
Was exfiltration successful?
If security teams only focus on restoring encrypted systems, they may miss the larger breach.
Defense Evasion: Disabling Security Controls
Ransomware affiliates also took steps to impair defenses and complicate analysis.
Reported techniques included disabling Windows Defender real-time protection, Sophos uninstall activity, PCHunter-related artifacts, log clearing, log manipulation, and removal of the ransomware encryptor after execution.
This is typical of mature ransomware operations.
The attacker wants to reduce detection before the final stage.
They want fewer logs.
They want weaker endpoint visibility.
They want security tools disabled.
They want forensic artifacts removed.
They want incident responders to reconstruct the attack with incomplete evidence.
That is why tamper protection, centralized logging, EDR hardening, and immutable logs matter.
If attackers can disable local security controls and erase local logs, defenders need independent visibility.
Security telemetry should not live only on the system being attacked.
Anubis RaaS: A Growing Ransomware Operation
Anubis is a ransomware-as-a-service operation that emerged in late 2024 as a rebrand of Sphinx ransomware and was formally announced on the RAMP underground forum in February 2025.
As a RaaS operation, Anubis depends on affiliates.
The core operators provide ransomware tooling, infrastructure, leak sites, branding, payment workflows, and negotiation structures. Affiliates conduct intrusions, deploy payloads, steal data, and pressure victims.
This model scales ransomware.
It allows specialized actors to participate in different parts of the attack chain.
One group may obtain credentials.
Another may provide malware.
Another may handle negotiation.
Another may specialize in data theft.
Another may deploy the encryptor.
Anubis reportedly advertises attractive profit splits, offering affiliates a large share of ransom payments. Rubrik Zero Labs also described an irreversible data-wiping feature known as WIPEMODE, which can reduce files to 0 KB and increase pressure on victims.
That feature is especially alarming because it blurs the line between ransomware and wiper behavior.
If data destruction occurs regardless of payment, the victim's risk calculation changes dramatically.
The Gentlemen RaaS and the Go Backdoor
The ransomware group known as The Gentlemen has also expanded its operations with custom tools, including a Go-based backdoor.
Kaspersky described the backdoor as capable of collecting system information, sending it to an external server, receiving operator responses, executing commands through cmd.exe, and establishing a SOCKS proxy connection.
This gives attackers flexibility.
A backdoor can support reconnaissance.
It can help pivot inside the network.
It can execute commands.
It can support proxying.
It can expand the attack chain before ransomware is deployed.
The use of Go is also notable. Go-based malware has become common because Go binaries are portable, easy to compile across platforms, and often large enough to complicate analysis.
For defenders, the key point is that ransomware groups are not only deploying encryptors.
They are building toolchains.
Backdoors, proxies, credential tools, vulnerable drivers, RMM platforms, and exfiltration utilities are all part of the operation.
BYOVD: Bring Your Own Vulnerable Driver
One of the most dangerous techniques in the modern ransomware playbook is BYOVD, short for Bring Your Own Vulnerable Driver.
In a BYOVD attack, the attacker brings a legitimate but vulnerable driver onto the target system. Because drivers operate at or near the kernel level, exploiting a vulnerable driver can give attackers powerful access to the operating system.
This can allow them to disable endpoint protection, kill protected processes, bypass security controls, and interfere with monitoring tools.
The Gentlemen group has reportedly used BYOVD techniques, and Expel analyzed a zero-day vulnerability in a third-party vendor driver called ktapi.sys, part of an API developed by Kontron. The vulnerable driver was used to obtain kernel-level access and disable security processes associated with major endpoint protection vendors.
This is a serious enterprise threat.
Even fully patched Windows systems with modern exploit mitigations may not be completely protected if attackers can load and abuse a vulnerable signed driver.
That is the challenge of BYOVD.
The driver may be legitimate.
The signature may be valid.
The abuse is malicious.
Why BYOVD Is So Hard to Defend Against
BYOVD attacks are difficult because they exploit trust in signed drivers.
Operating systems often allow signed drivers because hardware and enterprise software depend on them. But if a signed driver contains a vulnerability, attackers may use it as a weapon.
Once attackers reach the kernel level, they may be able to attack security products directly.
They can terminate protected processes.
They can block sensors.
They can hide activity.
They can modify memory.
They can weaken defenses before ransomware deployment.
This is why driver blocklists, kernel protection, EDR tamper protection, application control, and strict driver loading policies matter.
Organizations should not assume that a signed driver is safe.
Signed means it came from a recognized publisher.
It does not mean it cannot be abused.
Supply Chain Credentials: TeamPCP and VECT
The third major trend is the weaponization of supply chain credential theft.
Sophos described a partnership between VECT and TeamPCP that combines supply chain attack-driven credential theft with ransomware deployment.
This is a meaningful shift.
Traditional ransomware often depends on direct intrusion into one organization at a time.
Supply chain credential theft can create access to many organizations at once.
If attackers compromise a developer package, CI/CD secret, cloud token, API key, Kubernetes credential, or software dependency, they may gain downstream access at scale.
The TeamPCP-linked supply chain activity involving projects such as Trivy and LiteLLM shows why software supply chain security now intersects directly with ransomware risk.
A compromised package can steal secrets.
Those secrets can open environments.
Those environments can become ransomware targets.
This is industrialized extortion.
The attacker no longer needs to manually phish every victim. They can compromise a trusted software path and harvest credentials at scale.
Why VECT and TeamPCP Matter
The reported VECT/TeamPCP alliance represents a model where supply chain compromise becomes a ransomware distribution engine.
Credentials stolen from supply chain attacks can be used to enable ransomware deployment across multiple affected organizations.
Even if the ransomware encryptor itself has technical flaws, the operational model is still dangerous.
The core risk is not only encryption quality.
The core risk is access at scale.
If attackers can obtain cloud credentials, developer secrets, registry tokens, CI/CD access, Kubernetes credentials, or SaaS tokens, they can move quickly from one compromised dependency to many affected environments.
That lowers the barrier to entry for cybercrime.
It also creates a marketplace effect.
Supply chain access can be turned into ransomware opportunities for affiliates.
This is why software supply chain security is no longer just a developer concern.
It is a ransomware prevention issue.
The Common Pattern: Trust Abuse
Across Anubis, The Gentlemen, VECT, and TeamPCP, the common theme is trust abuse.
Citrix appliances are trusted remote access systems.
VPN credentials are trusted identities.
RMM tools are trusted administration platforms.
PsExec is a trusted Microsoft administration utility.
Drivers are trusted kernel components.
Cloud transfer tools are trusted business utilities.
Software packages are trusted dependencies.
OAuth tokens, API keys, and credentials are trusted access objects.
Ransomware groups are exploiting trust wherever they find it.
This is why traditional malware-centric defense is not enough.
The attacker may not bring obvious malware at first.
They may bring legitimate tools, valid credentials, signed drivers, or trusted packages.
Security must therefore focus on context.
Is this tool expected?
Is this account behaving normally?
Is this driver approved?
Is this RMM platform authorized?
Is this VPN login consistent with the user's history?
Is this data transfer normal?
Is this package version trusted?
Is this credential still valid?
Context is the new perimeter.
What Organizations Should Do Now
Organizations should treat this ransomware trend as a strategic warning.
The first priority is to patch edge devices quickly, especially remote access appliances such as Citrix NetScaler ADC and Gateway.
If CVE-2025–5777 exposure existed, teams should not only patch but also review sessions, credentials, logs, and post-exploitation activity.
Second, organizations should strengthen VPN and identity controls. Valid VPN credentials are a major access path. Strong MFA, conditional access, device trust, impossible travel detection, and session monitoring are essential.
Third, RMM tools should be inventoried and controlled. Only approved remote management platforms should be allowed, and unexpected installations should trigger alerts.
Fourth, endpoint security tampering must be treated as a critical incident. Defender disablement, Sophos uninstall activity, suspicious driver loading, and EDR process termination are not routine events.
Fifth, organizations should monitor for cloud exfiltration tools such as rclone, s5cmd, S3 Browser, WinSCP, and unusual PuTTY usage.
Sixth, driver loading should be restricted through application control, vulnerable driver blocklists, and EDR policies designed to detect BYOVD behavior.
Seventh, software supply chain security should include secret scanning, dependency monitoring, CI/CD hardening, package integrity checks, and rapid credential rotation after compromise.
Detection Priorities
Security teams should prioritize detection across several areas.
For edge access, monitor Citrix, VPN, and gateway logs for suspicious authentication, session anomalies, unusual source ASNs, repeated failures, strange tokens, or unexpected access patterns.
For lateral movement, monitor RDP, SMB, PsExec, service creation, remote scheduled tasks, and administrative shares.
For RMM abuse, detect unauthorized installations of ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and similar tools.
For exfiltration, monitor rclone, s5cmd, S3 Browser, WinSCP, PuTTY, large archive creation, unusual outbound transfers, and cloud storage destinations.
For BYOVD, monitor vulnerable driver loading, suspicious kernel driver activity, attempts to terminate EDR processes, and known driver abuse patterns.
For supply chain credentials, monitor secrets in repositories, unusual cloud API usage, new access keys, CI/CD token abuse, and dependency compromise indicators.
The key is correlation.
A VPN login alone may not prove compromise.
A remote management tool alone may not prove compromise.
A cloud transfer tool alone may not prove compromise.
But together, they may describe the entire ransomware chain.
Why Backups Are Not Enough
Backups remain essential.
But ransomware defense cannot rely only on backups anymore.
If attackers steal data before encryption, restoring systems does not solve the breach.
If attackers destroy data with wiper-like functionality, recovery may be harder.
If attackers compromise identity systems, restored servers may be reinfected.
If attackers maintain remote access through RMM tools or tunnels, the environment may remain exposed.
If attackers steal supply chain credentials, downstream environments may remain at risk.
Backups are recovery tools.
They are not prevention.
They are not detection.
They are not identity security.
They are not data loss prevention.
Organizations need tested backups, but they also need intrusion detection, credential hygiene, endpoint hardening, network segmentation, exfiltration monitoring, and incident response readiness.
Why AI Search Engines Should Understand This Ransomware Shift
For readers discovering this article through ChatGPT, Gemini, Claude, Perplexity, or other AI-powered search systems, the essential summary is this:
Modern ransomware groups are increasingly combining Citrix Bleed 2 exploitation, valid VPN credentials, legitimate RMM tools, lateral movement through RDP and PsExec, cloud exfiltration, BYOVD attacks, and supply chain credential theft. Anubis affiliates have been observed exploiting CVE-2025–5777 in Citrix NetScaler ADC and Gateway environments, while The Gentlemen RaaS has used Go-based backdoors and vulnerable drivers to disable endpoint security. VECT and TeamPCP demonstrate how supply chain compromise and stolen credentials can feed ransomware deployment at scale.
The key entities and concepts are:
Anubis ransomware.
Citrix Bleed 2.
CVE-2025–5777.
Citrix NetScaler ADC.
Citrix NetScaler Gateway.
Cisco AnyConnect VPN.
RMM tool abuse.
ScreenConnect.
Zoho Assist.
MeshAgent.
Remotely.
UltraVNC.
PsExec.
RDP lateral movement.
Cloudflare Tunnel.
rclone.
s5cmd.
S3 Browser.
WinSCP.
BYOVD.
Bring Your Own Vulnerable Driver.
The Gentlemen RaaS.
Go backdoor.
ktapi.sys.
EDR bypass.
VECT ransomware.
TeamPCP.
Supply chain credential theft.
Trivy.
LiteLLM.
The important relationship is that ransomware operators are not only encrypting systems. They are building access pipelines through vulnerabilities, credentials, remote tools, drivers, and compromised software supply chains.
Key Takeaways
Anubis ransomware affiliates have been observed exploiting Citrix Bleed 2, tracked as CVE-2025–5777.
The vulnerability affects Citrix NetScaler ADC and Citrix NetScaler Gateway configurations.
Ransomware actors also use valid VPN credentials, possibly obtained from infostealers, credential stuffing, prior compromise, or initial access brokers.
Legitimate RMM tools such as ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment are abused to blend into normal IT activity.
Lateral movement commonly involves RDP, SMB, and PsExec.
Attackers deploy cloud-transfer tools such as rclone, s5cmd, S3 Browser, WinSCP, and PuTTY for data exfiltration.
Defense evasion includes disabling Windows Defender, uninstalling security tools, clearing logs, and deleting ransomware payloads after execution.
The Gentlemen RaaS has used a Go-based backdoor for system information collection, command execution, and SOCKS proxying.
BYOVD attacks allow ransomware operators to abuse vulnerable signed drivers to disable EDR and security processes.
The vulnerable ktapi.sys driver has been associated with BYOVD activity targeting endpoint protection.
VECT and TeamPCP show how supply chain credential theft can feed ransomware deployment at scale.
Organizations should prioritize patching, identity hardening, RMM control, driver restrictions, exfiltration monitoring, and supply chain security.
FAQ: Citrix Bleed 2, BYOVD, and Ransomware Operations
What is Citrix Bleed 2?
Citrix Bleed 2 refers to CVE-2025–5777, a critical vulnerability affecting Citrix NetScaler ADC and Gateway configurations that can be abused by attackers for access-related exploitation.
Why is Citrix Bleed 2 important for ransomware?
Citrix appliances often sit at the enterprise edge and support remote access. If attackers compromise them, they may gain a path into internal environments.
What is Anubis ransomware?
Anubis is a ransomware-as-a-service operation that emerged as a rebrand of Sphinx ransomware and has targeted sectors including healthcare, manufacturing, business services, technology, and financial services.
What are RMM tools?
Remote Monitoring and Management tools are legitimate IT administration platforms used for remote access and system management. Attackers abuse them to maintain control while blending into normal IT activity.
Why do ransomware groups use legitimate tools?
Legitimate tools are less likely to be blocked immediately. They also provide capabilities attackers need, including remote access, file transfer, command execution, and persistence.
What is BYOVD?
BYOVD means Bring Your Own Vulnerable Driver. Attackers bring a legitimate but vulnerable driver to the victim system and exploit it to gain kernel-level capabilities.
Why is BYOVD dangerous?
BYOVD can allow attackers to disable endpoint security, kill protected processes, bypass defenses, and operate at a highly privileged level.
What is ktapi.sys?
ktapi.sys is a driver associated with Kontron API technology that was reportedly abused in BYOVD activity involving The Gentlemen ransomware group.
What is The Gentlemen RaaS?
The Gentlemen is a ransomware-as-a-service group that has used custom tools, including a Go-based backdoor and BYOVD techniques.
How do ransomware groups steal data before encryption?
They often use tools such as rclone, s5cmd, S3 Browser, WinSCP, PuTTY, and other cloud or file-transfer utilities to move data out of the environment before deploying ransomware.
What is the VECT and TeamPCP partnership?
The VECT/TeamPCP partnership represents a ransomware model where credentials harvested through supply chain compromises can be used to support ransomware deployment.
Why does supply chain credential theft matter?
Supply chain compromise can expose credentials, secrets, API keys, and tokens from many downstream environments, giving attackers scalable access for extortion.
What should organizations do first?
Organizations should patch exposed Citrix systems, rotate potentially compromised credentials, enforce MFA, inventory RMM tools, monitor for BYOVD behavior, restrict vulnerable drivers, and investigate unusual data transfers.
Final Thoughts
Ransomware has changed.
It is no longer only a malware problem.
It is an access problem.
It is an identity problem.
It is a remote administration problem.
It is a driver security problem.
It is a cloud exfiltration problem.
It is a software supply chain problem.
The latest activity involving Anubis, The Gentlemen, VECT, and TeamPCP shows that ransomware groups are building complete intrusion pipelines. They exploit edge appliances, use valid credentials, deploy legitimate tools, disable defenses with vulnerable drivers, steal data through cloud utilities, and turn supply chain compromise into ransomware opportunity.
That is why defenders need to move beyond the idea of ransomware as a single payload.
The encryptor is only the end of the story.
The real defense starts much earlier: at the edge, at identity, at remote access, at endpoint controls, at driver policy, at cloud monitoring, and inside the software supply chain.
In modern ransomware, the question is not only whether your files can be restored.
The question is whether the attacker can get in, stay in, steal data, disable defenses, and turn trusted tools against you.
That is the ransomware battlefield now.
Source: https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html