Photo by Anastassia Anufrieva on Unsplash
- CVE-2025-5777 (Citrix Bleed 2, CVSS 9.3) was exploited by Anubis affiliates on June 23, 2025 — eleven days before a public proof-of-concept appeared — with more than 56,000 internet-reachable NetScaler services exposed at disclosure time.
- As of July 2026, Anubis ransomware has claimed 91 victims on its data leak site, with 36 confirmed in the United States and 17 American healthcare entities attacked in 2026 alone.
- 54 distinct EDR killer tools now exploit 35 vulnerable Windows drivers via BYOVD; Qilin ransomware's malicious DLL can terminate more than 300 EDR processes across virtually every major security vendor.
- The VECT–TeamPCP supply chain operation poisoned 48+ npm packages, reached 1,000+ enterprise SaaS environments, and exfiltrated approximately 300 GB of data including 500,000 credential sets.
The Threat: Three Vectors, One Industrialized Kill Chain
187 data points tracked — then over 2,600. That leap in Anubis ransomware group activity during early 2026 is the clearest signal yet that ransomware has crossed a threshold from opportunistic crime into full-scale industrial production. Reporting aggregated by Google News — drawing on analysis from The Hacker News, Sophos Counter Threat Unit, the FBI, and Veeam security research — reveals the Anubis group chaining three distinct attack vectors into a single, repeatable kill chain: a critical network appliance vulnerability, a kernel-level driver abuse technique, and a poisoned software supply chain delivering half a million harvested credentials directly into ransomware-as-a-service affiliate programs.
The initial access vector is CVE-2025-5777, informally called Citrix Bleed 2, a session-token hijacking flaw in Citrix NetScaler gateway appliances carrying a CVSS score of 9.3. Anubis affiliates first exploited it on June 23, 2025, eleven days before a public proof-of-concept emerged. CISA added the flaw to its Known Exploited Vulnerabilities catalog on July 10, 2025, logging it as one of 24 vulnerabilities confirmed in 2025 as actively exploited by ransomware operators. CISA's KEV catalog grew by 1,484 new entries in 2025 — a 20% surge in confirmed active exploitation — putting CVE-2025-5777 in distinguished and dangerous company. A separately disclosed flaw, CVE-2026-8451 (CVSS 8.8), surfaced on June 30, 2026 and was weaponized within 24 hours, confirming that Citrix appliances have become a reliable entry-point category for this threat actor class, not a one-off incident.
After gaining a foothold, affiliates deploy BYOVD (Bring Your Own Vulnerable Driver) payloads — a technique where attackers load a legitimate but exploitable Windows kernel driver to gain elevated system access and terminate endpoint detection software before it can trigger an alert. As of July 4, 2026, 54 distinct EDR killer tools leverage this technique exploiting 35 vulnerable drivers. The Qilin ransomware group's implementation deploys a malicious DLL capable of terminating more than 300 EDR processes from nearly every major vendor. A separate framework, GentleKiller, deployed by the Gentlemen gang in Q1 2026, targets more than 400 security processes across 48 products including Microsoft Defender, CrowdStrike, and SentinelOne. The Hacker News analysis observed that even running the latest Windows version with all exploit mitigations active provides no complete protection against BYOVD — a sobering constraint on pure patch-based defense strategies.
The third vector is the VECT–TeamPCP supply chain operation, announced as a formal partnership in March 2026. The campaign compromised four security and AI packages, propagated a worm across 48+ npm packages, reached more than 1,000 enterprise SaaS environments, and exfiltrated approximately 300 GB of data — including 500,000 credential sets. The FBI issued an alert after confirming that the open-source security tools Trivy and KICS, along with the BerriAI LiteLLM AI gateway, were among the poisoned packages. Those harvested credentials feed directly into RaaS affiliate marketplaces, lowering the technical barrier for any actor who can purchase access.
Blast Radius — Who Should Actually Be Worried
The Anubis group, which emerged as a rebrand of Sphinx ransomware in late 2024 and formally announced itself on the RAMP underground forum in February 2025, has claimed 91 victims on its data leak site as of July 2026 — with 11 new victims reported in June 2026 alone. Geographic distribution is heavily U.S.-weighted, with American healthcare the most targeted sector.
Chart: Confirmed Anubis ransomware victims by country as of July 2026, based on data leak site disclosures tracked by threat intelligence analysts. U.S. organizations account for more than 50% of total confirmed victims. Source: data cited by The Hacker News and Sophos Counter Threat Unit reporting.
The realistic worst-case scenario for a mid-size U.S. organization running Citrix NetScaler on the perimeter: an Anubis affiliate exploits CVE-2025-5777 to steal a valid authenticated session token — bypassing MFA (multi-factor authentication) entirely, since that token already cleared the second-factor check — then moves laterally under the cover of legitimate RMM (remote management and monitoring) tools like ScreenConnect, Zoho Assist, or MeshAgent to blend with normal IT traffic. A BYOVD payload kills the EDR in seconds. Encryption follows. Total dwell time before data loss can be measured in hours. Any organization running unpatched NetScaler, particularly in healthcare, legal, or financial services, sits squarely in the blast radius of this group's current campaign tempo.
The supply chain dimension extends that blast radius non-linearly. As Veeam's security team noted in their analysis: compromising a single vendor or package can cascade to hundreds or thousands of downstream organizations simultaneously — which is precisely what the VECT–TeamPCP npm worm demonstrated across 1,000+ enterprise environments in a single operation.
When Your AI Security Tools Become the Attack Surface
There is a bitter irony in the TeamPCP package list. Two confirmed compromised tools — Trivy and KICS — are security tools, the kind organizations deploy specifically to find vulnerabilities in their own infrastructure. The third, BerriAI's LiteLLM gateway, is AI infrastructure: the proxy layer many enterprises use to route requests across multiple large language model providers. As organizations accelerate AI tooling adoption — a dynamic that AI Trends documented in their examination of how agentic AI deployment is outpacing governance frameworks — the npm packages underpinning that AI infrastructure become high-value credential harvesting targets with disproportionate access to cloud environments, SaaS platforms, and premium API services.
Sophos Counter Threat Unit framed the structural problem precisely: the convergence of large-scale supply chain credential theft, a maturing RaaS operation, and underground forum mobilization constitutes an unprecedented model of industrialized ransomware deployment that significantly lowers the barrier to entry for cybercrime. The credentials stolen from AI development environments carry particular downstream value because they frequently include cloud provider IAM keys, API tokens for AI services, and service account credentials with broad internal SaaS permissions — the kind of access that makes lateral movement nearly invisible against normal operational traffic.
The Defense Stack That Actually Holds
Three controls, stacked in urgency order:
Patch CVE-2025-5777 and rotate all active NetScaler sessions. Citrix released fixes; over 56,000 internet-reachable NetScaler services were exposed at disclosure time, according to Shodan data. Patching closes the token theft vector going forward, but active exploitation since June 23, 2025 means some environments may already hold compromised tokens in circulation. Invalidate all active sessions after patching and rotate associated credentials. While conducting that audit, also verify status on CVE-2026-8451 (CVSS 8.8), the newer NetScaler flaw disclosed June 30, 2026 and exploited within 24 hours of public disclosure. Treating these as a class of appliance risk — not individual CVEs — is the right threat intelligence posture here.
Enforce the Microsoft vulnerable driver block list and enable EDR tamper protection. Windows Defender Application Control (WDAC) in block mode, with the current recommended driver block list enforced, closes the most common 35 BYOVD driver exploits. It won't stop every variant — the Qilin DLL uses drivers not yet on every published list — but it forces attackers to use less reliable, less tested exploits and buys detection time. Confirm that your EDR vendor has deployed BYOVD-specific kernel hardening; CrowdStrike, SentinelOne, and Microsoft Defender all released targeted hardening guidance following the GentleKiller and Qilin campaigns. Network-based detection of known malicious driver hashes functions as a compensating control (a secondary defense layer) when endpoint enforcement is uncertain or delayed by deployment complexity.
Audit your CI/CD dependency chain and rotate pipeline credentials. Run a software bill of materials (SBOM) audit against the confirmed compromised package indicators from the FBI's TeamPCP alert — specifically Trivy, KICS, and LiteLLM. Any pipeline that ran these tools while the supply chain compromise was active should be treated as credential-compromised until proven otherwise. Rotate cloud provider keys, API tokens, and service account credentials that were accessible to those tools. This is an incident response action, not a scheduled security hygiene task — treat it with corresponding urgency and scope it to your entire CI/CD and AI infrastructure toolchain, not just the three named packages.
Ship This Control Today
Before anything else: run your external attack surface inventory against current NetScaler version data and confirm patch status on CVE-2025-5777. If you are unpatched and internet-facing, that is your only priority until it is closed. Then, as a parallel track, enable the Microsoft vulnerable driver block list via Group Policy or Intune if it is not already enforced — this is a fifteen-minute configuration change that closes a class of BYOVD exposure across 35 known drivers. Every hour of dwell time you force on an attacker inside your perimeter is an hour your SIEM (security information and event management system) has to detect anomalous RMM tool behavior, unexpected driver loads, or lateral movement patterns.
In my analysis, the most underappreciated risk in this particular kill chain is not the Citrix vulnerability or even the BYOVD technique — it is the credential pipeline. When 500,000 credential sets flow from a poisoned npm package into ransomware affiliate marketplaces, the blast radius of one supply chain compromise becomes effectively unbounded. Organizations that implicitly trust open-source security and AI tooling — especially packages added quickly during an AI adoption push — are carrying an unquantified exposure that patch management cycles alone cannot close. The data protection posture needs to extend upstream into the development pipeline, not just the production perimeter. Ship the NetScaler patch. Enable the driver block list. Then spend the next week asking a harder question: which packages in your CI/CD pipeline have access to credentials you would not want in a threat actor's hands?
Frequently Asked Questions
How does the Citrix Bleed 2 vulnerability bypass multi-factor authentication on NetScaler devices?
CVE-2025-5777 allows an attacker to extract valid session tokens directly from NetScaler appliance memory. Because those tokens represent sessions that already completed MFA verification, the attacker inherits a fully authenticated session without ever needing to supply a password or second factor. The authentication bypass is structural — the session is genuinely valid from the application's perspective. Patching blocks new token theft, but tokens stolen before patching remain valid until explicitly invalidated, which is why session rotation after patching is a required remediation step, not an optional one.
How can I check whether my Citrix NetScaler is vulnerable to CVE-2025-5777?
Citrix published a security bulletin with specific affected firmware version ranges for NetScaler ADC and NetScaler Gateway products. Cross-reference your firmware version against the advisory, and use Shodan or your external attack surface management tool to confirm internet exposure. CISA's KEV catalog entry for CVE-2025-5777 — added July 10, 2025 — links to the vendor advisory and remediation guidance. If you are running any NetScaler firmware version released before the patch date on an internet-facing device, apply compensating controls immediately: block inbound access to the management interface, force session invalidation, and prioritize patching above other scheduled maintenance.
What is a BYOVD attack and how can organizations defend against it in real time?
BYOVD stands for Bring Your Own Vulnerable Driver. Attackers load a legitimate, cryptographically signed Windows driver that contains a known exploitable flaw, then use the kernel-level access that driver provides to terminate endpoint detection and response (EDR) agents before those agents can generate alerts or block encryption. Defenses include: enforcing Microsoft's recommended driver block list via WDAC (Windows Defender Application Control) in block mode, enabling tamper protection in your EDR at the kernel level, monitoring for known malicious driver hashes at both the endpoint and network perimeter, and ensuring your EDR vendor's BYOVD-specific hardening updates are deployed. As of July 4, 2026, 54 tools exploit 35 vulnerable drivers — the block list is a necessary but not complete defense.
Why are ransomware groups specifically targeting AI infrastructure packages in supply chain attacks?
AI infrastructure packages — LLM gateways, container security scanners, infrastructure-as-code tools — run during the build and deployment pipeline with credentials that span cloud environments, AI service APIs, and internal SaaS platforms. A single compromised package in CI/CD can harvest credentials with far broader access than any single production system. The FBI's alert following the TeamPCP campaign confirmed that BerriAI LiteLLM, Trivy, and KICS were targeted precisely because of this credential access pattern. As Veeam's security analysis noted, attacking a single trusted supplier is far more operationally efficient than targeting each downstream organization individually — and AI tooling adoption has accelerated the number of high-value packages entering enterprise pipelines without the security review scrutiny applied to production dependencies.
Disclaimer: This article is editorial commentary based on publicly reported information and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific organizational needs. Research based on publicly available sources current as of July 4, 2026.