Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
Anubis ransomware affiliates exploit Citrix Bleed 2 (CVE-2025-5777) and valid VPN credentials for initial access, leveraging legitimate RMM tools for persistence and lateral movement. The Gentlemen RaaS group utilizes a custom Go-based backdoor and Bring Your Own Vulnerable Driver (BYOVD) techniques to bypass endpoint security and achieve kernel-level access. Both groups employ aggressive defense evasion strategies, including disabling antivirus software, clearing logs, and deleting encryptors p
Analysis
TL;DR
- Anubis ransomware affiliates exploit Citrix Bleed 2 (CVE-2025-5777) and valid VPN credentials for initial access, leveraging legitimate RMM tools for persistence and lateral movement.
- The Gentlemen RaaS group utilizes a custom Go-based backdoor and Bring Your Own Vulnerable Driver (BYOVD) techniques to bypass endpoint security and achieve kernel-level access.
- Both groups employ aggressive defense evasion strategies, including disabling antivirus software, clearing logs, and deleting encryptors post-execution to hinder forensic analysis.
- Anubis uses an irreversible data-wiping feature (/WIPEMODE) to increase pressure on victims, while The Gentlemen uses SOCKS proxies to pivot within networks.
Why It Matters
This highlights a significant shift in ransomware tradecraft where threat actors increasingly rely on legitimate administrative tools (RMM) and supply chain vulnerabilities (BYOVD) to blend in with normal IT operations, making detection difficult for traditional security monitoring. It underscores the critical risk posed by unpatched infrastructure components like Citrix NetScaler and the growing effectiveness of kernel-level exploits in neutralizing modern endpoint protection platforms.
Technical Details
- Anubis TTPs: Exploits CVE-2025-5777 (CVSS 9.3) in Citrix NetScaler ADC/Gateway; abuses tools like ScreenConnect, Zoho Assist, and MeshAgent for lateral movement; employs cloud-transfer tools (rclone, WinSCP) and Cloudflare Tunnels for exfiltration.
- The Gentlemen Backdoor: A Go-based implant that establishes bidirectional TCP connections, executes commands via
cmd.exe, and sets up SOCKS proxies for network pivoting; communicates with C2 server81.177.215[.]15:9443. - BYOVD Exploitation: The Gentlemen weaponizes a zero-day vulnerability in
ktapi.sys(Kontron API) to gain kernel access, allowing them to kill protected processes from Microsoft, ESET, Palo Alto Networks, and SentinelOne. - Defense Evasion: Anubis disables Windows Defender and Sophos, manipulates logs, and deletes the encryptor binary after execution; The Gentlemen uses kernel-level access to bypass security controls entirely.
Industry Insight
Organizations must prioritize patching critical infrastructure vulnerabilities like Citrix Bleed 2 and implement strict network segmentation to limit lateral movement via RDP and SMB. Security teams should enhance monitoring for anomalous usage of legitimate RMM and remote access tools, as well as detect kernel-level process termination activities indicative of BYOVD attacks. Additionally, adopting zero-trust architectures and verifying the integrity of third-party drivers can mitigate the risks associated with supply chain and kernel exploits.
Disclaimer: The above content is generated by AI and is for reference only.