Ransomware groups use Citrix flaw, stolen VPN logins and supply chain credentials

by

Ransomware crews tied to Anubis, The Gentlemen, VECT and TeamPCP have used a mix of the Arctic Wolf technical analysis and other research to show how attackers are combining the Citrix Bleed 2 flaw, valid VPN logins, BYOVD techniques and supply chain credential theft to breach victims and move across networks.

KEY FACTS

  • Citrix flaw CVE-2025-5777 was used for initial access in observed attacks.
  • Access tools Attackers used legitimate RMM tools, RDP, PsExec and Cloudflare Tunnel.
  • Data theft Tools including rclone, WinSCP and PuTTY were used before ransomware deployment.
  • Other groups Separate research linked The Gentlemen to a Go backdoor and a zero-day BYOVD exploit.
  • Supply chain angle VECT and TeamPCP were tied to credential theft from Trivy and LiteLLM supply chain attacks.

The Anubis activity involved both exploitation of CVE-2025-5777 and use of valid Cisco AnyConnect VPN credentials, with the exact source of those credentials still unknown. Arctic Wolf said the access was followed by RDP and SMB activity, credential theft, PsExec service creation and deployment of remote management tools used to stay embedded in victim systems.

Observed intrusions also included attempts to weaken defenses and slow analysis, including disabling Windows Defender real-time protection, SophosUninstall activity, log clearing and, in one case, deletion of an Anubis encryptor after execution. The group has claimed 91 victims on its leak site, with more than half in the United States.

Separate reporting on The Gentlemen said the group used stolen or weak credentials, lateral movement through Group Policy or PsExec and a Go-based backdoor that could collect system data, establish a SOCKS proxy and execute commands. Another disclosure said the group used a zero-day in a Kontron driver to gain kernel-level access and disable security products.

Sophos also said VECT and TeamPCP formed a partnership in March 2026 that linked ransomware deployment with supply chain credential theft, after TeamPCP had previously operated under the CipherForce brand. The report said the alliance was built to scale attacks across organizations compromised in the Trivy and LiteLLM incidents.

WHY IT MATTERS

The findings show ransomware groups are mixing valid credentials, public exploits, commercial remote tools and supply chain access to make intrusions harder to detect and interrupt. That combination can widen exposure across different sectors and make recovery more difficult once data theft or destructive behavior begins.