ThreatBrief AI

Ransomware crews converge on Citrix Bleed 2, BYOVD and supply-chain credentials

Fresh reporting ties Anubis, The Gentlemen, and TeamPCP activity to edge-device access, EDR-killing drivers, and supply-chain credential theft.

+ +

Published

Jul 04, 2026

Duration

4 min read

Risk Level

High Severity

Why it matters

Ransomware reporting this week points to a practical convergence defenders cannot handle as separate stories: exposed edge access, endpoint-defense bypass, and stolen software-supply-chain credentials are feeding the same extortion pipeline. Arctic Wolf says Anubis intrusions it investigated in 2026 used both valid VPN credentials and CitrixBleed 2 exploitation, then leaned on legitimate remote-management tools that can blend into normal IT operations. In parallel, Kaspersky and Expel describe The Gentlemen ransomware activity using vulnerable drivers to weaken endpoint protection, while the FBI warns that TeamPCP-linked supply-chain credential theft can remain useful to affiliates after the first compromise.

What happened

The Hacker News summarized multiple fresh ransomware reports under one trend: operators are pairing initial access from Citrix NetScaler and VPN paths with hands-on intrusion tradecraft, EDR-killing driver abuse, and credentials stolen from open-source ecosystem compromises. Arctic Wolf’s Anubis analysis is the clearest edge-access example, citing CVE-2025-5777 and malicious VPN authentication followed by RDP, SMB, PsExec, RMM deployment, and cloud-transfer tooling. Kaspersky reported The Gentlemen activity using a Go backdoor and BYOVD techniques, and Expel analyzed a ktapi.sys driver exploit used to terminate security products. The FBI alert adds a supply-chain angle by warning that credentials and data taken in TeamPCP-linked campaigns may remain a persistent risk.

Technical details

For Anubis, the useful defender pattern is less the ransomware brand and more the sequence: VPN or NetScaler access, interactive lateral movement, deployment of ScreenConnect-style or similar administration tooling, credential gathering, and exfiltration utilities before encryption. Arctic Wolf also noted Cloudflare Tunnel use in select intrusions, which makes outbound tunnel monitoring relevant alongside VPN and RDP review. For The Gentlemen, public research emphasizes BYOVD: attackers bring or exploit vulnerable kernel drivers so they can interfere with EDR controls before running ransomware. Expel’s analysis names ktapi.sys as the driver involved in one exploit chain; this brief does not reproduce exploit steps, but it does treat driver load events and sudden security-process termination as high-value telemetry. For TeamPCP and VECT-related activity, the main risk is downstream credential reuse after package or repository compromise.

Defender actions

Prioritize Citrix NetScaler exposure review and patch verification for CVE-2025-5777, especially Gateway or AAA virtual server deployments. Hunt for suspicious VPN logins from hosting providers, impossible travel, new RDP or SMB activity after VPN authentication, PsExec service creation, and newly installed RMM tools that were not part of an approved change. Add detections for unexpected cloudflared tunnels, rclone, s5cmd, S3 Browser, WinSCP, and PuTTY appearing on servers that do not normally use them. On Windows endpoints, alert on vulnerable-driver loads, ktapi.sys sightings, security-service termination, and tampering with Defender, Sophos, or other EDR components. For developer and CI/CD environments, rotate credentials exposed to recent supply-chain incidents, review package provenance, and assume stolen tokens can be reused well after the initial compromise.