Anubis ransomware and the art of looking like your IT team
Ransomware groups get caught when defenders spot unusual tooling. Anubis, a RaaS operation that emerged in late 2024 as a rebrand of Sphinx ransomware, has built its operational model around one premise: never use a tool your IT team would not also use. Arctic Wolf has investigated multiple Anubis intrusions and found the same pattern in each one.
From Sphinx to Anubis: the rebrand context
Anubis was formally announced on the RAMP underground forum in February 2025 as a successor to Sphinx ransomware. It operates as a ransomware-as-a-service model with affiliates conducting intrusions while the core team provides encryptors, infrastructure, and leak site management. By early 2026, Arctic Wolf had investigated multiple confirmed Anubis breaches, all sharing a consistent initial access and persistence pattern.
The CitrixBleed 2 entry point
CVE-2025-5777, known as CitrixBleed 2, is a pre-authentication vulnerability in Citrix NetScaler ADC and Gateway. It allows an unauthenticated attacker to leak session tokens from memory, recovering valid authentication sessions and bypassing MFA entirely. Anubis affiliates combine leaked session tokens with stolen VPN credentials to establish initial access without triggering authentication anomalies. Organizations that have not patched NetScaler ADC and Gateway remain exposed.
The legitimate tools that make Anubis hard to detect
After establishing access, Anubis affiliates deploy legitimate remote management tools rather than custom malware. The tools they use are all signed, trusted, and frequently present in enterprise environments:
- ScreenConnect and Zoho Assist: widely used by MSPs for remote support sessions
- MeshAgent and Remotely: open-source RMM tools common in smaller IT environments
- UltraVNC and Total Software Deployment: legacy remote access tools still present in many enterprise environments
- Cloudflared for C2 tunneling: the legitimate Cloudflare tunnel client used to route command and control traffic through trusted infrastructure
Why blending in is more dangerous than novel techniques
Detection rules that fire on unusual process creation or unknown binaries do not catch this attack. By the time a ransom note appears, the broader framework has already harvested credentials, established multiple redundant persistence paths, and weakened local recovery options. With the 2026 average eCrime breakout time at 29 minutes, containment must happen before the attacker has finished establishing persistence, not after.
Detection and mitigation
Practical steps to reduce exposure and improve detection:
- Patch NetScaler ADC and Gateway immediately. CVE-2025-5777 (CitrixBleed 2) has a working exploit and Anubis affiliates are actively using it. Any unpatched NetScaler is a viable Anubis entry point.
- Baseline approved RMM tooling and alert on new deployments. Create an inventory of approved remote access tools and alert on any new RMM binary appearing outside that set.
- Monitor Cloudflared process creation. Cloudflared is not standard enterprise software. A new Cloudflared process is a high-confidence indicator of C2 tunneling activity.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you are reviewing your RMM governance policy or NetScaler patch status.