Anubis ransomware has successfully attacked 91 organizations by exploiting CVE-2025-5777, a critical vulnerability in Citrix NetScaler ADC and Gateway appliances that allows attackers to steal session tokens and bypass multi-factor authentication entirely without needing passwords. This represents one of the most aggressive campaigns targeting the Citrix infrastructure vulnerability since its discovery, with threat actors weaponizing a pre-authentication memory disclosure flaw to gain administrative access to corporate networks. The affected organizations span healthcare, financial services, manufacturing, technology, and business services sectors across North America, Europe, and Australia.
The attack chain demonstrates a sophisticated approach that combines multiple attack vectors: after exploiting Citrix Bleed 2 to extract VPN credentials and bypass MFA protections, the attackers deploy commercial remote management tools to establish persistent access before deploying ransomware encryption. The majority of victims are located in the United States, with additional compromises affecting organizations in the United Kingdom, Australia, France, and Canada. This campaign underscores how a single unpatched vulnerability in a critical network appliance can cascade into complete infrastructure compromise, even when multi-factor authentication is deployed.
Table of Contents
- How Does CVE-2025-5777 Bypass MFA Security in Citrix Systems?
- The Evolution from Sphinx to Anubis: Rebranding a Ransomware-as-a-Service Operation
- Attack Chain: From Credential Theft to Ransomware Deployment
- Geographic and Sectoral Patterns in the 91-Organization Campaign
- The Limitations of MFA Against Memory Disclosure Attacks
- Timeline of Emergence and Formal Announcement
- Remote Management Tools as the Bridge Between Initial Access and Encryption
- Frequently Asked Questions
How Does CVE-2025-5777 Bypass MFA Security in Citrix Systems?
The Citrix Bleed 2 vulnerability (CVE-2025-5777) is a pre-authentication memory disclosure flaw that requires no user credentials to exploit. Attackers can extract sensitive data from the memory of Citrix NetScaler ADC and Gateway appliances, including valid session tokens that grant access as if an authorized user had already authenticated. This means that even organizations with strong MFA policies in place experience no protection from this attack vector, since the attacker never needs to bypass MFA through the normal authentication flow—instead, they simply steal the already-authenticated session token directly from the application’s memory. The vulnerability fundamentally breaks the security model that MFA is designed to protect.
Traditional MFA requires attackers to either know the password or intercept the second authentication factor. By contrast, CVE-2025-5777 allows attackers to obtain post-authentication credentials without ever triggering an authentication prompt. This creates a situation where a Citrix administrator could have MFA fully enabled and functional, yet the gateway appliance can still be compromised by someone who never enters a password or touches an authenticator app. The flaw affects both Citrix NetScaler ADC and Gateway appliances, which are commonly deployed as the network edge for remote work access—making them a high-value target for any attacker seeking to establish an initial foothold.
The Evolution from Sphinx to Anubis: Rebranding a Ransomware-as-a-Service Operation
Anubis did not emerge as an entirely new ransomware variant, but rather as a rebranding of the Sphinx ransomware operation. Sphinx operated in late 2024 and established itself as a ransomware-as-a-service (RaaS) platform before rebranding and relaunching under the Anubis name in February 2025 on the RAMP underground forum. This rebranding strategy is common in the ransomware ecosystem when operations wish to distance themselves from previous activities, attract new affiliates, or reinvigorate marketing efforts within criminal communities.
The transition to the Anubis name coincided with the group’s shift toward exploiting Citrix vulnerabilities at scale. By formally announcing the rebrand on a major underground forum, the threat actors signaled their operational maturity and ability to deliver attacks using a fresh identity. However, law enforcement and cybersecurity researchers have connected the Anubis operation to its Sphinx predecessor through code analysis and infrastructure patterns, demonstrating that branding changes alone do not alter the underlying technical capabilities or threat level. Organizations that previously dismissed Sphinx activity should recognize that the same operators are now actively targeting their Citrix infrastructure under a new name.
Attack Chain: From Credential Theft to Ransomware Deployment
Once Anubis operators extract session tokens through CVE-2025-5777, they combine this initial access with stolen VPN credentials to establish multiple pathways into the target network. The attackers then deploy a range of commercial remote monitoring and management (RMM) tools to maintain persistent access, including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment. The use of legitimate, commercially available tools obscures malicious activity in network logs and can delay detection if administrators are not specifically looking for suspicious installation of these applications.
The progression from initial access to ransomware deployment typically spans days or weeks, allowing attackers time to map network resources, identify high-value data repositories, and establish backup-layer access before triggering encryption. In many cases, the attackers conduct reconnaissance of the environment to understand backup systems, air-gapped networks, and critical business processes before deploying ransomware, enabling them to maximize the ransom demand. This deliberate, measured approach means that early detection is critical—an organization that spots unauthorized RMM tool installation or unusual administrative activity within hours of compromise may still prevent the final encryption stage, whereas detection days later often arrives too late.
Geographic and Sectoral Patterns in the 91-Organization Campaign
The 91 victims targeted by Anubis are not randomly distributed. More than half of the compromised organizations are based in the United States, making U.S. entities the primary focus of this campaign.
The remaining victims are concentrated in the United Kingdom, Australia, France, and Canada—regions that collectively represent significant economic activity and have developed digital infrastructure suitable for targeting by sophisticated threat actors. Organizations in these English-speaking countries and major Western economies appear to be prioritized, possibly because the attackers have native language capabilities or because these regions offer higher ransom demands. Industry selection reveals a clear pattern of targeting high-value sectors: healthcare organizations face particular pressure due to operational urgency when systems are unavailable and the ethical pressure surrounding patient data, business services firms often hold significant proprietary and client information, manufacturing operations depend on network uptime for production schedules, technology companies offer both direct revenue value and potential supply-chain leverage, and financial services organizations hold access to customer funds and sensitive economic data. Healthcare is particularly vulnerable in this campaign because patient care cannot always be deferred; a hospital that loses access to medical records and imaging systems faces immediate operational crisis, making ransom payment a faster decision than in other sectors.
The Limitations of MFA Against Memory Disclosure Attacks
A critical limitation of standard MFA deployment is that it provides no defense against vulnerabilities like CVE-2025-5777 that target the application layer rather than the authentication layer. Organizations that have invested significantly in MFA hardware tokens, FIDO2 keys, or time-based one-time passwords (TOTP) authenticators discover that these controls are irrelevant when attackers steal session tokens directly from server memory. This creates a false sense of security where defenders believe they have eliminated remote access risks, when in fact a single unpatched appliance vulnerability can render these investments ineffective.
A related limitation is that many organizations deploy MFA only at the perimeter (for VPN or remote access gateways) but fail to extend the same protections to internal network segments, lateral movement, or administrative access. An attacker who bypasses the Citrix gateway through CVE-2025-5777 may then gain unrestricted access to internal systems that assume all traffic arriving from the gateway has already been properly authenticated. Without segmentation, additional MFA enforcement on internal systems, or anomaly detection that flags abnormal administrative patterns, the attacker proceeds undetected through the trusted internal network.
Timeline of Emergence and Formal Announcement
The Anubis operation began taking shape in late 2024 as threat actors prepared the rebrand of their Sphinx ransomware operations. The formal announcement and launch of Anubis occurred in February 2025, when the group posted recruitment and service offerings on the RAMP underground forum, signaling the start of an operational shift toward the Citrix vulnerability.
By July 2026 when these attacks were publicly reported, the campaign had achieved 91 confirmed compromises, demonstrating sustained operational capacity over an approximately 18-month window from initial rebranding to sustained exploitation. This timeline suggests that Anubis operators began planning the Citrix-focused campaign well before public disclosure of CVE-2025-5777, likely possessing advance knowledge of the vulnerability or having identified it through their own research. The patience to develop and test exploit code, recruit affiliates, and coordinate attacks across 91 organizations before public reporting indicates that the threat actors maintained operational discipline and avoided activities that would trigger premature disclosure or enforcement action.
Remote Management Tools as the Bridge Between Initial Access and Encryption
The specific choice of commercial RMM tools—ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment—reveals how Anubis operators leverage legitimate software to reduce detection friction. Each of these tools is installed daily by thousands of organizations for legitimate support, patching, and remote administration purposes. An organization seeing these applications installed on servers may initially assume an IT team member deployed them for standard maintenance, creating a window where the attacker maintains access while defenders remain unaware.
The deployment of multiple redundant RMM tools serves a specific purpose: if defenders detect and uninstall one tool, the attacker retains access through the others. This redundancy ensures that initial access persists even after partial incident response, allowing attackers to re-establish presence and trigger encryption at a later time. Organizations that have experienced Anubis compromise reports confirm that malicious RMM installation often remains undetected for extended periods because these applications generate legitimate-appearing network traffic and administrative activities that blend into normal IT operations.
Frequently Asked Questions
Can an organization with MFA enabled still be compromised by the Citrix Bleed 2 vulnerability?
Yes. CVE-2025-5777 operates at the application layer and extracts already-authenticated session tokens directly from memory, bypassing MFA entirely. MFA protects the authentication process but offers no defense against memory disclosure attacks that steal tokens after authentication has already occurred.
Which organizations should prioritize patching for CVE-2025-5777?
Any organization running Citrix NetScaler ADC or Gateway appliances should treat patching as critical. Firms in healthcare, financial services, manufacturing, technology, and business services sectors are particularly targeted, and organizations in the U.S., U.K., Australia, France, and Canada represent the current geographic focus.
How can defenders detect if commercial RMM tools have been deployed maliciously?
Monitor for unexpected installations of ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment. Check deployment history and verify with the IT team. Review network logs for unusual command-and-control communications from these tools, and audit administrative actions initiated by these applications.
Does the use of commercial RMM tools help Anubis evade detection?
Yes. Because these tools are commonly installed for legitimate purposes, their presence does not immediately trigger alerts. This creates a critical window where attackers maintain persistent access while defenders may assume the software was installed through authorized IT processes.
How long does Anubis typically wait between gaining access and deploying ransomware?
The group conducts reconnaissance and staging activities over days or weeks, mapping network resources and backup systems before encryption. This delay allows detection opportunity but also means organizations with early visibility into unauthorized RMM installation may still prevent encryption if they respond within hours of discovery.
Why did Sphinx rebrand as Anubis?
Rebranding is a common ransomware-as-a-service strategy to distance operations from past activities, attract new affiliates, and refresh marketing within criminal communities. The rebrand coincided with Anubis’s shift toward large-scale Citrix vulnerability exploitation, formally announced in February 2025.
