Ransomware Groups Expand Tactics With Citrix Vulnerability, BYOVD, and Supply Chain Access
Cybersecurity researchers are tracking a widening set of techniques used by ransomware operators, including exploitation of a recent Citrix flaw, abuse of legitimate remote administration tools, and p...
Cybersecurity researchers are tracking a widening set of techniques used by ransomware operators, including exploitation of a recent Citrix flaw, abuse of legitimate remote administration tools, and partnerships built around supply chain compromise.
According to Arctic Wolf, affiliates tied to the Anubis ransomware operation have used Citrix Bleed 2, tracked as CVE-2025-5777, to gain initial access to victim networks. The group has also been seen using valid VPN credentials, the exact source of which is unclear. Analysts said those credentials may have been obtained through prior intrusions, credential stuffing, information-stealer logs, or access brokers.
Once inside, the attackers reportedly relied on common administrative software such as ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment to maintain access and blend in with normal IT activity. Investigators also observed the use of RDP, SMB, PsExec, and cloud-transfer tools to move laterally and exfiltrate data before ransomware was deployed. In some cases, defenders noted attempts to disable security tools, clear logs, and interfere with incident response.
Other RaaS crews are using similar methods
Kaspersky separately described activity linked to The Gentlemen ransomware group, which has used stolen or weak credentials together with known vulnerabilities to breach targets. Researchers said the group deployed a Go-based backdoor that can collect system details, send them to an external server, and either execute commands or establish a SOCKS proxy for additional network movement.
Expel also reported that The Gentlemen abused a zero-day flaw in a third-party driver, ktapi.sys, as part of a bring-your-own-vulnerable-driver, or BYOVD, strategy. That approach can give attackers kernel-level access and allow them to disable protected security products from multiple vendors.
Supply chain access is becoming part of the ransomware model
Another development involves the partnership between VECT and TeamPCP, which Sophos says was designed to turn supply chain compromises into ransomware opportunities. The collaboration appears aimed at monetizing infections tied to Trivy and LiteLLM supply chain attacks. Earlier reporting also linked TeamPCP to the CipherForce brand before the group rebranded in 2026.
- Citrix Bleed 2 is being used for initial access
- Legitimate remote tools help attackers stay hidden
- BYOVD remains a fast way to weaken endpoint defenses
- Supply chain compromises are increasingly feeding ransomware operations
Researchers say the common theme across these campaigns is persistence: threat actors are combining valid access, trusted tools, and multiple intrusion paths to reduce detection and increase pressure on victims.
