@Anubis__media
Anubis
Anubis is a ransomware-as-a-service operation that emerged in late 2024 after rebranding from Sphinx.
Profile source: Mallory opens in a new tabAnubis
Family profile
Anubis is a ransomware-as-a-service operation that emerged in late 2024 after rebranding from Sphinx. It operates through affiliates and has targeted organizations across multiple sectors, including healthcare, manufacturing, construction, legal services, financial services, business services, and technology, with a large share of claimed victims in the United States. The malware supports data-theft-and-encryption extortion and has been reported to include an optional destructive wipe capability that can reduce victim files to zero-byte content, increasing coercive pressure beyond conventional ransomware encryption.
Observed Anubis intrusions in 2026 show a practical, affiliate-driven tradecraft model rather than reliance on a single distinctive malware component. Initial access has been associated with spearphishing, use of valid VPN credentials, and exploitation of CitrixBleed 2 (CVE-2025-5777) against Citrix NetScaler infrastructure. Post-compromise activity has included session hijacking opportunities tied to exposed session material, credential access, lateral movement over RDP and SMB, PsExec-based remote execution, deployment of legitimate remote monitoring and management tools, tunneling utilities, cloud-transfer tools, and other living-off-the-land techniques intended to blend with normal administrative activity. Affiliates have also been observed weakening security visibility and tampering with endpoint protections before encryption.
The ransomware has been described as targeting Windows, Linux, NAS, and ESXi environments, with reported privilege escalation to SYSTEM on Windows and self-propagation of encryption across a domain. Final-stage activity includes file encryption and ransom-note deployment, while pre-encryption phases often involve staging and exfiltration of data. Anubis is therefore best understood as a multi-platform ransomware ecosystem combining initial access, credential abuse, lateral movement, defense evasion, exfiltration, encryption, and optional destructive wiping under an affiliate monetization model.
Capabilities
- Credential Theft
- Defense Evasion
- Exfiltration
- Lateral Movement
- Post Exploitation
- Privilege Escalation
- Session Hijacking
Ransomware.live
Operational record
Ransomware.live
Published indicators
Md5
25 totala1765503f1405b24b77a16071e6ea6f6d2410703e93be61a652b92efcf42789d0a5f3fc92af7aa3e448ac7b84e495fc6271998018494403a9b5d0d4b01eb0c448a12e997e672b80319c5b852b237e5a9f71d8db7fda7659718330efcbd0776f00f1b8aa83e5f9c40ad32561a95ed2c6771ce395e8bb531ec3623b94387de8392284d536dab5865150873e927a29cb0aea4b88bf440613390cd32e045a59fd7b0
Ip
4 total38.134.148.205.252.177.249212.224.107.203195.133.67.35
Ransomware.live
Recent claims
Reported operators
Threat actors
1 named in public reportingIn its most recent campaigns, FIN7 has been observed deploying the Python-based Anubis backdoor, which provides full system control via in-memory execution and communicates with its command-and-control infrastructure using Base64-encoded data.
Exploited software
Vulnerabilities linked to Anubis
1 CVEsMITRE ATT&CK
Anubis in ATT&CK
43 distinct techniquesTechniques
43 techniquesReporting
Research mentioning Anubis
US sanctions First VPN and administrator for supporting ransomware | CyberScoop
TRM Labs said it has seen 1VPNS selling its services to ransomware operators for prices ranging from $723 for Anubis to $58 Sinobi.
Anubis Ransomware : exploitation de CitrixBleed 2 et abus d'outils RMM légitimes | CyberVeille
cet article présente les résultats d’investigations menées tout au long de 2026 sur plusieurs intrusions attribuées au groupe Anubis ransomware, opérant selon un modèle Ransomware-as-a-Service (RaaS).
Anubis Ransomware Gang Attacks Again, Exploit Remote Access - CySecurity News - Latest Information Security and Hacking Incidents
Hackers linked with Anubis ransomware operation were found abusing the Citrix Bleed 2 (CVE-2025-5777) flaw to find initial access. About Anubis Anubis is a RaaS gang that first surfaced in late 2024 as a spinoff of Sphinx ransomware.
Avalon Malware Framework Leads to CrownX Ransomware
The same pre-encryption lesson applies to other modern ransomware intrusions, including Anubis ransomware abuse of remote-management tools.
Anubis Ransomware Abuses RMM Tools Before Encryption
Arctic Wolf Labs reported on June 30, 2026 that Anubis ransomware intrusions investigated since the start of 2026 used a mix of valid VPN credentials, exploitation of CitrixBleed 2, RDP movement, credential access, remote management software, tunnels, and cloud-transfer utilities before encryption.
From CitrixBleed 2 to Cloudflared: The Tools and Techniques Behind Anubis Ransomware Attacks - Arctic Wolf
Since the start of 2026, Arctic Wolf has investigated Anubis ransomware intrusions involving both valid VPN credential use and exploitation of CitrixBleed 2 (CVE-2025-5777), expanding known initial access tradecraft associated with this ransomware brand.
The State of Ransomware - Q1 2026 - Check Point Research
Anubis stands apart from all other top-20 actors in its willingness to target healthcare (13.0%, +8.3 percentage points above baseline) and critical infrastructure (8.7%, +7.7 percentage points above baseline).
Critical Condition: The 2026 Healthcare Cyber Threat Landscape
ANUBIS is a ransomware operation targeting mid-sized organizations using encryption-based payloads and extortion tactics.