Anubis ransomware is exploiting CitrixBleed 2 to steal session tokens that bypass MFA and stay valid even after you patch. Here is why "we patched and we have MFA" is not remediation, and what Texas SMBs should do instead.
If your remediation plan for CitrixBleed 2 was "apply the patch and confirm MFA is on," you are not done. Fresh incident breakdowns published this week show the Anubis ransomware crew turning that exact assumption into a way in. They are exploiting the flaw to steal live session tokens, walking straight past multi-factor authentication with those tokens, and hiding inside the same legitimate remote-access tools your own IT team uses. The patch closes the hole. It does not evict the intruder who already grabbed a token, and it does not flag the ScreenConnect installer they dropped last week.
For Texas healthcare, manufacturing, and business-services firms running Citrix NetScaler at the edge, this is the difference between a checkbox and actual security. Here is what is happening and what to do about it.
CitrixBleed 2 is tracked as CVE-2025-5777. It is a pre-authentication memory disclosure flaw in Citrix NetScaler ADC and NetScaler Gateway appliances, caused by insufficient input validation that lets an attacker read chunks of the device's memory. The bug is only present when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server, which describes the vast majority of internet-facing NetScaler deployments.
The dangerous part is what leaks out of that memory. Attackers spray malformed login requests at the doAuthentication.do endpoint and read back session material, including the NSC_AAAC session token. A valid session token is a golden ticket. It represents a user who has already completed authentication, so replaying it grants access to that session without a password and without a second factor. That is the whole game: CitrixBleed 2 does not crack MFA, it steps around it by stealing the proof that MFA was already satisfied.
CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on July 10, 2025, after confirmed in-the-wild abuse, and public write-ups from multiple research teams documented the exact request structure being used. This is not theoretical.
Anubis is a ransomware-as-a-service operation that emerged in late 2024 as a rebrand of Sphinx ransomware, was formally announced on an underground forum in February 2025, and has spent 2026 expanding fast. Two things make it worth a hard look.
First, the affiliate economics. Anubis reportedly offers affiliates an 80 percent cut of ransom payments, above the usual 70/30 split. That premium attracts capable operators, which is why the intrusions look disciplined rather than smash-and-grab.
Second, the wiper. Anubis ships an optional "wipe mode" that permanently erases file contents while leaving the file names listed at 0 KB. That is designed to destroy your ability to recover even if you refuse to pay. For a Texas hospital or a manufacturer running production lines off shared drives, an attacker who can both encrypt and irreversibly wipe removes the "restore from the encrypted copy later" fallback entirely. According to public leak-site tracking, the group has claimed 91 victims, with researchers documenting intrusions across healthcare, business services, financial services, manufacturing, and technology, and 11 new victims listed in June 2026 alone.
The incident analyses describe a consistent playbook. Initial access came from two directions: exploitation of CitrixBleed 2, and valid VPN credentials (including Cisco AnyConnect logins originating from hosting-provider networks). Once inside, the pattern looked like this:
| Stage | What Anubis did |
|---|---|
| Initial access | Stole NetScaler session tokens via CVE-2025-5777 or logged in with valid VPN credentials |
| Foothold and persistence | Deployed legitimate RMM tools (ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, Total Software Deployment) to blend in with normal IT activity |
| Credential access | Ran Mimikatz on Windows servers and pulled the Active Directory ntds.dit database |
| Lateral movement | Spread via RDP, SMB, and PsExec to reach domain controllers and core systems |
| Exfiltration | Opened Cloudflare Tunnels (cloudflared), then moved data with rclone, s5cmd, S3 Browser, WinSCP, and PuTTY |
| Impact | Began encrypting less than an hour after extracting the AD database in one documented intrusion, with an optional wiper for good measure |
Notice how little of that would trip a traditional alarm. One ScreenConnect installer came from a spoofed Microsoft-lookalike domain, but no antivirus signature flags a legitimate remote-access tool your admins might genuinely use. The Cloudflare tunnel looks like ordinary outbound traffic. The RDP and SMB movement uses valid credentials pulled from the environment. This is "living off the land," and it is exactly why detection has to look at behavior, not just known-bad files.
Here is the trap that catches competent teams. You read the advisory, you upgrade your NetScaler to a fixed build, you confirm MFA is enforced, and you close the ticket. The problem: any session tokens the attacker extracted before you patched remain valid until you explicitly revoke them. Patching stops new memory leaks. It does nothing to the tokens already sitting in an attacker's pocket, and those tokens still walk past MFA.
Citrix's own guidance is explicit about this. After every appliance in your HA pair or cluster is on a fixed build, you must terminate active sessions with:
kill icaconnection -all
kill pcoipConnection -all
If you skipped those commands, you patched the door but left the intruder's key working. Real remediation for CitrixBleed 2 is three moves, in order:
Most small and mid-sized Texas organizations do not run a full internal security operation, and that is fine. The point is to have the controls and the eyes in place before an Anubis affiliate finds your edge. Practical priorities:
CitrixBleed 2 and Anubis are a clean illustration of where ransomware has gone. Attackers are not brute-forcing MFA or dropping obvious malware. They are stealing the artifacts of legitimate access, then operating with the same tools your administrators trust. "We patched" and "we have MFA" are necessary, but they describe your posture at a single moment, not whether someone is already inside using a token they lifted last Tuesday.
The organizations that weather this are the ones that revoke aggressively, allow-list their own tooling, keep recovery-grade backups, and have someone actually watching for legitimate tools behaving illegitimately. If you run NetScaler at your edge and you are not certain those sessions were killed after your last patch, that uncertainty is the finding.
Want a fast read on where your defenses stand? Take our free 60-second IT assessment, or book a meeting with our Texas team to walk through your NetScaler exposure, RMM allow-listing, and detection coverage.
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.