Based on reporting by The Hacker News →
Introduction
Ransomware groups are no longer just breaking in through unpatched software; they are weaponizing legitimate management tools and stolen supply-chain credentials to move laterally once inside. A recent report reveals how the Anubis operation is blending old tricks with a newer exploit to maximize damage.
The problem
According to The Hacker News, threat actors linked to the Anubis ransomware operation have been observed exploiting a vulnerability tracked as CVE-2025-5777, dubbed “Citrix Bleed 2,” to gain initial access to victim networks. The same reporting highlights that while affiliate tactics vary, common patterns emerge in their tradecraft: abuse of legitimate Remote Monitoring and Management (RMM) tools, credential theft, and hands-on-keyboard activity for lateral movement. The source also notes the use of Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security software, combined with supply-chain credential harvesting.
Consequences
The convergence of these tactics means that an organization hit by Anubis faces a multi-vector assault. Initial exploitation of an edge-device flaw (Citrix Bleed 2) can lead to complete domain compromise, exfiltration of sensitive data, and ransomware deployment. The use of trusted tools like RMM software makes detection harder for security teams, while BYOVD attacks can blind defenders by killing endpoint protection. Stolen supply-chain credentials, if leveraged, could extend the breach to partners and customers, turning a single incident into a cascading liability.