By: Senior Security Consultant Date: July 2026
Introduction
Threat actors affiliated with the Anubis ransomware operation have shifted tactics, actively exploiting Citrix Bleed 2 (CVE-2025-5777) to gain initial access to target networks. This is not a passive campaign; intelligence indicates a high degree of "hands-on-keyboard" activity following the initial exploit. The attackers are leveraging legitimate Remote Management and Monitoring (RMM) tools and credential theft mechanisms to move laterally, making traditional signature-based detection less effective.
For security practitioners, this represents a critical escalation. The combination of a high-severity perimeter vulnerability and the abuse of trusted administrative tooling creates a "living off the land" scenario that requires immediate validation of your Citrix infrastructure and enhanced monitoring for RMM abuse.
Technical Analysis
Affected Products and Vulnerability
- Vulnerability: CVE-2025-5777 (Citrix Bleed 2)
- Affected Platform: Citrix ADC (Application Delivery Controller), Citrix Gateway, and NetScaler Gateway.
- Nature of Flaw: While detailed technical specifics are emerging, "Citrix Bleed" class vulnerabilities typically involve session hijacking or information disclosure leading to Remote Code Execution (RCE) on the appliance.
Attack Chain
- Initial Access: Attackers scan for exposed Citrix ADC/Gateway interfaces (usually TCP 443). They exploit CVE-2025-5777 to bypass authentication or hijack valid sessions.
- Execution: Once on the appliance, the threat actor gains shell-level access (often
rootornsrootequivalent) and executes commands to pivot to the internal network. - Lateral Movement (BYOVD & RMM): The summary notes the use of BYOVD (Bring Your Own Vulnerable Driver) techniques and RMM tooling. Attackers install commercial RMM software (e.g., ScreenConnect, AnyDesk, Splashtop) on compromised servers to establish persistent, interactive C2 channels that blend in with administrative traffic.
- Credential Access: The "hands-on-keyboard" component suggests manual dumping of credentials (LSASS, SAM database) or harvesting session tokens to escalate privileges.
Detection & Response
The following detection rules focus on the post-exploitation indicators on the endpoint (Windows) and the initial exploitation vectors on the network/appliance.
Sigma Rules
---
title: Citrix ADC Shell Spawn via CVE-2025-5777
id: 8d4c2e1a-9b3f-4c1d-8e2a-1a2b3c4d5e6f
status: experimental
description: Detects potential exploitation of Citrix Bleed 2 by identifying the Citrix parent process spawning a shell or command line utility.
references:
- https://attack.mitre.org/techniques/T1190/
author: Security Arsenal
date: 2026/07/15
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith:
- '/netscaler/nshttpd'
- '/netscaler/nsppe'
Image|endswith:
- '/bin/sh'
- '/bin/bash'
- '/usr/bin/python'
condition: selection
falsepositives:
- Administrative debugging (Rare in production)
level: critical
---
title: Unauthorized RMM Tool Execution
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects the execution of common RMM tools potentially installed by Anubis affiliates for lateral movement.
references:
- https://attack.mitre.org/techniques/T1219/
author: Security Arsenal
date: 2026/07/15
tags:
- attack.command_and_control
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- 'AnyDesk'
- 'ScreenConnect'
- 'Splashtop'
- 'ConnectWise'
- 'Atera'
- 'RemotePC'
filter_legit_admin:
ParentImage|contains:
- 'Program Files'
- 'Program Files (x86)'
User|contains:
- 'ADMIN'
- 'SYSTEM'
condition: selection | not filter_legit_admin
falsepositives:
- Authorized IT support activities
level: high
---
title: LSASS Memory Access by Non-System Account
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects potential credential dumping activity by non-system processes accessing LSASS memory, a common Anubis tradecraft.
references:
- https://attack.mitre.org/techniques/T1003/
author: Security Arsenal
date: 2026/07/15
tags:
- attack.credential_access
- attack.t1003.001
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess:
- '0x1010'
- '0x1410'
- '0x143A'
- '0x101a'
- '0x410'
- '0x430'
SourceImage|notcontains:
- '\System32\'
- '\SysWOW64\'
- 'lsass.exe'
condition: selection
falsepositives:
- Legitimate antivirus scanning
- Backup software
level: high
KQL (Microsoft Sentinel)
// Hunt for Citrix Bleed 2 exploitation signs: Process execution on ADC or unexpected RMM traffic
// Note: Requires CEF or Syslog ingestion for Citrix logs, and DeviceProcessEvents for endpoints
let RMMTools = dynamic(['AnyDesk', 'ScreenConnect', 'Splashtop', 'ConnectWise', 'Atera', 'RemotePC', 'GoToMyPC']);
// Detect RMM processes spawning from suspicious parents (cmd, powershell, explorer)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any (RMMTools) or FileName has_any (RMMTools)
| where InitiatingProcessFileName in ('cmd.exe', 'powershell.exe', 'powershell_ise.exe', 'wscript.exe', 'cscript.exe')
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, SHA256
| order by Timestamp desc
Velociraptor VQL
-- Hunt for suspicious RMM tools and unusual process parentage on endpoints
SELECT
Pid,
Name,
CommandLine,
Exe,
Username,
Parent.Pid AS ParentPid,
Parent.Name AS ParentName,
Parent.Cmdline AS ParentCmdline
FROM pslist()
WHERE Name IN ('AnyDesk.exe', 'RemotePC.exe', 'ScreenConnect.WindowsClient.exe', 'SplashtopStreamer.exe')
AND Parent.Name NOT IN ('services.exe', 'explorer.exe', 'svchost.exe')
-- Also hunt for processes accessing LSASS suspiciously
Remediation Script (PowerShell)
# Script to identify and optionally stop common unauthorized RMM tools associated with Anubis activity
# Requires Administrator privileges
$UnauthorizedRMMs = @("AnyDesk", "ScreenConnect", "Splashtop", "Atera", "RemotePC")
$DetectedThreats = @()
Write-Host "Scanning for active RMM processes..." -ForegroundColor Cyan
foreach ($tool in $UnauthorizedRMMs) {
$processes = Get-Process -Name "*$tool*" -ErrorAction SilentlyContinue
if ($processes) {
foreach ($proc in $processes) {
Write-Host "[ALERT] Found process: $($proc.ProcessName) (PID: $($proc.Id))" -ForegroundColor Red
Write-Host " Path: $($proc.Path)"
Write-Host " User: $($proc.GetOwner().User)"
$DetectedThreats += $proc
# REMEDIATION ACTION: Uncomment the line below to kill the process automatically
# Stop-Process -Id $proc.Id -Force
}
}
}
if ($DetectedThreats.Count -eq 0) {
Write-Host "No unauthorized RMM processes detected." -ForegroundColor Green
} else {
Write-Host "Total suspicious processes found: $($DetectedThreats.Count)" -ForegroundColor Yellow
Write-Host "Please review and investigate the parent processes."
}
# Check for recent installation of RMM services
Write-Host "\nChecking for recently installed RMM services..." -ForegroundColor Cyan
Get-WmiObject Win32_Service | Where-Object {
$UnauthorizedRMMs -contains $_.Name -or
$UnauthorizedRMMs -contains $_.DisplayName -or
$_.PathName -match "AnyDesk|ScreenConnect|Splashtop|Atera|RemotePC"
} | Select-Object Name, DisplayName, State, StartMode, PathName, InstallDate | Format-Table -AutoSize
Remediation
1. Patch Immediately (Citrix)
- Action: Apply the latest security updates for Citrix ADC/Gateway that address CVE-2025-5777. Verify your build number against the vendor advisory released in late 2025.
- Vendor Advisory: Refer to the official Citrix Security Bulletins for the exact Fixed Build.
- Configuration: If patching is delayed, disable access to the management interfaces (GUI, SSH, Serial Console) from untrusted networks. Use split-tunneling or VPNs to restrict management access.
2. Secure RMM Tooling
- Inventory: Conduct an immediate audit of all installed RMM software. Remove any instances that are not part of the approved IT asset list.
- Application Control: Implement AppLocker or Windows Defender Application Control (WDAC) policies to whitelist only approved RMM executables and block execution from user-writeable directories (e.g.,
\Users\Public\Downloads).
3. Credential Hygiene
- Reset: Assume credentials stored in memory on machines accessed by RMM tools are compromised. Reset credentials for accounts used on those hosts, especially Domain Admins.
- Protection: Enable Credential Guard and configure LSASS protection mode to
1(Advanced) or2(Restricted) to prevent memory dumping tools from reading clear-text credentials.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.