logo

Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

ID: c7b5b5c6-ec3d-5d08-aa96-e5c0bb47efb5

STIX ID: report--c7b5b5c6-ec3d-5d08-aa96-e5c0bb47efb5

Feed Name: The Hacker News

Threat Score
88/100

Date Published: 2026-07-02

Date Updated: 2026-07-03

Author: [email protected] (The Hacker News)

...
...

The report describes active ransomware operations (Anubis and others) exploiting Citrix Bleed 2 (CVE-2025-5777) and using valid VPN logins, credential theft, and legitimate RMM tools to move laterally, exfiltrate data with tools like rclone and s3 browser, and deploy destructive ransomware that includes an irreversible wiper mode; it also covers The Gentlemen backdoor which enables command execution and SOCKS proxying, a BYOVD zero-day exploiting ktapi.sys to disable endpoint protections, and the VECT/TeamPCP collaboration that amplifies supply-chain credential theft and ransomware distribution.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.