Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
ID: c7b5b5c6-ec3d-5d08-aa96-e5c0bb47efb5
STIX ID: report--c7b5b5c6-ec3d-5d08-aa96-e5c0bb47efb5
Feed Name: The Hacker News
The report describes active ransomware operations (Anubis and others) exploiting Citrix Bleed 2 (CVE-2025-5777) and using valid VPN logins, credential theft, and legitimate RMM tools to move laterally, exfiltrate data with tools like rclone and s3 browser, and deploy destructive ransomware that includes an irreversible wiper mode; it also covers The Gentlemen backdoor which enables command execution and SOCKS proxying, a BYOVD zero-day exploiting ktapi.sys to disable endpoint protections, and the VECT/TeamPCP collaboration that amplifies supply-chain credential theft and ransomware distribution.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
