
Anubis RaaS Affiliates Exploit CVE-2025-5777 Citrix Bleed 2 Alongside RMM Abuse and Defense Evasion
Anubis operators demonstrate rapid integration of CVE-2025-5777 with commodity RMM tooling and pre-obtained VPN credentials. Reporting highlights hands-on tradecraft but misses the broader diffusion risk across RaaS ecosystems and the role of IAB credential pipelines. Continued focus on NetScaler telemetry and anomalous remote admin binaries is required to disrupt the observed access-to-ransom pipeline.
Arctic Wolf observed multiple intrusions this year where attackers leveraged the Citrix flaw on Gateway-configured appliances to obtain unauthenticated sessions, then pivoted via RDP, PsExec, and tools including ScreenConnect, Zoho Assist, and cloudflared. Credential harvesting followed with subsequent exfiltration via rclone and S3 Browser before ransomware and wiper deployment. Defense evasion included Windows Defender disablement, Sophos uninstalls, and log manipulation. The exact provenance of Cisco AnyConnect credentials from AS20473 and AS55286 remains untraced in the reporting. Rubrik Zero Labs previously documented Anubis profit splits and irreversible wipe mode, but did not connect these to the specific initial-access vector now confirmed. This pattern aligns with post-2023 Citrix NetScaler exploitation waves where IABs and RaaS affiliates rapidly weaponized auth bypasses before patches propagate. Arctic Wolf's focus on Anubis tradecraft understates the speed of diffusion: similar RMM-plus-BYO-credential chains have appeared in LockBit and BlackCat successors within weeks of prior CVEs. Supply-chain credential theft via stealers or prior breaches supplies the second factor that makes single-vulnerability exploits viable against segmented environments. Enterprise monitoring of anomalous RMM binaries from unexpected ASNs and NetScaler AAA logs will surface these campaigns earlier than signature-based detection. Within 90 days, expect documented cases of the same Citrix vector chained with signed vulnerable drivers for kernel-level AV bypass as groups iterate on observed evasion gaps.
Arctic Wolf: 15+ additional confirmed Anubis intrusions via CVE-2025-5777 documented by 30 September 2026
Sources (2)
- [1]Arctic Wolf Threat Report(https://arcticwolf.com/resources/threat-reports/anubis-citrix-bleed-2026)
- [2]Rubrik Zero Labs RaaS Analysis(https://rubrik.com/zero-labs/anubis-raas-2025)