"Anubis affiliates repeatedly abused legitimate remote access and administration tools," Arctic Wolf reported — a concise summary of a wider trend now linking Citrix Bleed 2, BYOVD, and supply-chain credential theft to multiple ransomware families.
Anubis RaaS, Citrix Bleed 2 (CVE-2025-5777), and a growing victim count
Anubis, a ransomware-as-a-service operation that rebranded from Sphinx in late 2024 and publicly announced itself on the RAMP forum in February 2025, has claimed 91 victims on its data leak site, 11 of them in June 2026, according to Ransomware.Live. Arctic Wolf’s recent report ties a series of intrusions this year to exploitation of Citrix Bleed 2 (CVE-2025-5777), a critical authentication-bypass flaw (CVSS 9.3) affecting Citrix NetScaler ADC and Gateway when configured as a Gateway or AAA virtual server.
Tradecraft: VPN logins, RDP/PsExec lateral moves, and legitimate RMM tools
Arctic Wolf documented a repeatable pattern across Anubis affiliate intrusions: attackers gained initial access either by exploiting CVE-2025-5777 or by using valid VPN credentials, then moved laterally via RDP and PsExec. The company observed valid Cisco AnyConnect logins originating from hosting ASNs including AS20473 (The Constant Company) and AS55286 (ServerMania). Malicious VPN authentication commonly preceded RDP/SMB activity, credential harvesting, creation of PsExec services, deployment of remote management and monitoring (RMM) tooling, and invocation of cloud-transfer utilities for exfiltration.
To maintain persistence while blending into normal operations, the actors repeatedly used legitimate RMM and remote-access tools: ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment. Some intrusions also established Cloudflare Tunnel (cloudflared) connections to reach victim environments.
Data staging, defense tampering, and artifacts deleted
Once inside, attackers collected credentials and staged data with tools such as S3 Browser, rclone, s5cmd, WinSCP, and PuTTY before triggering ransomware. Arctic Wolf described a set of deliberate steps to impair detection and complicate analysis: disabling Windows Defender real-time protection, running SophosUninstall, leaving PCHunter-related artifacts, and clearing or manipulating logs across systems. In at least one case, an Anubis encryptor was deleted after execution, shrinking on-disk artifacts available for defenders and investigators.
The Gentlemen RaaS, a Go backdoor, and BYOVD exploiting ktapi.sys
Kaspersky’s analysis links The Gentlemen RaaS group to breaches that began with known-vulnerability exploits and stolen or weak logins, followed by deployment of a Go-based backdoor. The implant gathers system information and communicates to 81.177.215[.]15:9443 over a bidirectional TCP channel, exfiltrating data and awaiting operator instructions. If the operator response byte is "c," the implant executes the payload via cmd.exe; if "s," the implant establishes a SOCKS proxy — functionality Kaspersky says supports internal pivoting and expanded scanning inside victim networks.
Expel detailed how The Gentlemen have also weaponized a zero-day in a third‑party vendor driver as part of bring-your-own-vulnerable-driver (BYOVD) tactics. The implicated file is ktapi.sys, an API driver associated with Kontron. According to Expel, the driver’s flaw was used to gain kernel-level access, bypass Windows protections, and kill protected security processes tied to Microsoft, ESET, Palo Alto Networks, and SentinelOne. Security researcher Marcus Hutchins told reporters, "It's still unclear how the threat actors came into possession of the file or gained knowledge of its vulnerability," while warning that BYOVD rapidly enables attackers to disable modern endpoint defenses.
VECT and TeamPCP: supply chain credential theft meets ransomware
Sophos’ Counter Threat Unit reported on a formal partnership announced in March 2026 between VECT and TeamPCP to combine supply-chain-driven credential theft with ransomware deployment. Prior to the pact, TeamPCP operated a ransomware brand called CipherForce; CipherForce listed six victims in February 2026 and the group later rebranded its leak site as TeamPCP in May. Check Point and JUMPSEC analyses found an implementation flaw in VECT that destroyed files larger than 128 KB instead of encrypting them; TeamPCP disputed using VECT’s encryptor, stating, "We own CipherForce, our own private locker." Sophos characterized the VECT/TeamPCP alliance as an "unprecedented model of industrialized ransomware deployment" that lowers barriers for large-scale attacks.
What this means for technologists, procurement leaders, and regulators
- Technologists and security teams should prioritize detection and mitigation for CVE-2025-5777 exploitation, monitor anomalous AnyConnect logins (including traffic from AS20473 and AS55286), and hunt for post‑compromise signals described by Arctic Wolf — unauthorized RMM tool installations, cloudflared tunnels, Windows Defender disablement, Sophos uninstall attempts, PCHunter artifacts, and signs of encryptor deletion.
- Procurement and IT asset managers must scrutinize third‑party drivers and firmware — the ktapi.sys BYOVD case demonstrates how a vendor component can be weaponized to bypass endpoint protections; supply-chain credential theft also demands tighter controls around build and distribution chains.
- Policymakers and regulators should note the operational convergence Sophos highlights: RaaS monetization (Anubis’ affiliate model and advertised profit splits), weaponized supply-chain compromises, and BYOVD techniques together create a scalable, industrialized threat model that complicates response and liability frameworks.
These cases show ransomware actors mixing a high-severity authentication bypass, stolen or brokered credentials, legitimate remote management tooling, zero-day weaponization of vendor drivers, and supply-chain credential theft — a composite playbook that complicates detection and response. Defenders can map the sequence Arctic Wolf, Kaspersky, Expel, and Sophos describe; the harder question is whether defensive practice and vendor governance can tighten fast enough to interrupt the next link in the chain.




