Skip to content
Ransomware group EsxiLinuxWindows

Anubis

Anubis is a ransomware-as-a-service operation that emerged in late 2024 after rebranding from Sphinx.

Profile source: Mallory opens in a new tab

Anubis

Family profile

Anubis is a ransomware-as-a-service operation that emerged in late 2024 after rebranding from Sphinx. It operates through affiliates and has targeted organizations across multiple sectors, including healthcare, manufacturing, construction, legal services, financial services, business services, and technology, with a large share of claimed victims in the United States. The malware supports data-theft-and-encryption extortion and has been reported to include an optional destructive wipe capability that can reduce victim files to zero-byte content, increasing coercive pressure beyond conventional ransomware encryption.

Observed Anubis intrusions in 2026 show a practical, affiliate-driven tradecraft model rather than reliance on a single distinctive malware component. Initial access has been associated with spearphishing, use of valid VPN credentials, and exploitation of CitrixBleed 2 (CVE-2025-5777) against Citrix NetScaler infrastructure. Post-compromise activity has included session hijacking opportunities tied to exposed session material, credential access, lateral movement over RDP and SMB, PsExec-based remote execution, deployment of legitimate remote monitoring and management tools, tunneling utilities, cloud-transfer tools, and other living-off-the-land techniques intended to blend with normal administrative activity. Affiliates have also been observed weakening security visibility and tampering with endpoint protections before encryption.

The ransomware has been described as targeting Windows, Linux, NAS, and ESXi environments, with reported privilege escalation to SYSTEM on Windows and self-propagation of encryption across a domain. Final-stage activity includes file encryption and ransom-note deployment, while pre-encryption phases often involve staging and exfiltration of data. Anubis is therefore best understood as a multi-platform ransomware ecosystem combining initial access, credential abuse, lateral movement, defense evasion, exfiltration, encryption, and optional destructive wiping under an affiliate monetization model.

Capabilities

  • Credential Theft
  • Defense Evasion
  • Exfiltration
  • Lateral Movement
  • Post Exploitation
  • Privilege Escalation
  • Session Hijacking

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Twitter

1 total
  • @Anubis__media

Md5

25 total
  • a1765503f1405b24b77a16071e6ea6f6
  • d2410703e93be61a652b92efcf42789d
  • 0a5f3fc92af7aa3e448ac7b84e495fc6
  • 271998018494403a9b5d0d4b01eb0c44
  • 8a12e997e672b80319c5b852b237e5a9
  • f71d8db7fda7659718330efcbd0776f0
  • 0f1b8aa83e5f9c40ad32561a95ed2c67
  • 71ce395e8bb531ec3623b94387de8392
  • 284d536dab5865150873e927a29cb0ae
  • a4b88bf440613390cd32e045a59fd7b0

Ip

4 total
  • 38.134.148.20
  • 5.252.177.249
  • 212.224.107.203
  • 195.133.67.35

Ransomware.live

Recent claims

All published claims ↗

Reported operators

Threat actors

1 named in public reporting
FIN7

In its most recent campaigns, FIN7 has been observed deploying the Python-based Anubis backdoor, which provides full system control via in-memory execution and communicates with its command-and-control infrastructure using Base64-encoded data.

Exploited software

Vulnerabilities linked to Anubis

1 CVEs

MITRE ATT&CK

Anubis in ATT&CK

43 distinct techniques

Reporting

Research mentioning Anubis

Jul 14
Cyberscoop

US sanctions First VPN and administrator for supporting ransomware | CyberScoop

TRM Labs said it has seen 1VPNS selling its services to ransomware operators for prices ranging from $723 for Anubis to $58 Sinobi.

Jul 8
Cyberveille

Anubis Ransomware : exploitation de CitrixBleed 2 et abus d'outils RMM légitimes | CyberVeille

cet article présente les résultats d’investigations menées tout au long de 2026 sur plusieurs intrusions attribuées au groupe Anubis ransomware, opérant selon un modèle Ransomware-as-a-Service (RaaS).

Jul 4
Cysecurity News

Anubis Ransomware Gang Attacks Again, Exploit Remote Access - CySecurity News - Latest Information Security and Hacking Incidents

Hackers linked with Anubis ransomware operation were found abusing the Citrix Bleed 2 (CVE-2025-5777) flaw to find initial access. About Anubis Anubis is a RaaS gang that first surfaced in late 2024 as a spinoff of Sphinx ransomware.

Jul 3
Trojan Killer News

Avalon Malware Framework Leads to CrownX Ransomware

The same pre-encryption lesson applies to other modern ransomware intrusions, including Anubis ransomware abuse of remote-management tools.

Jul 2
Trojan Killer News

Anubis Ransomware Abuses RMM Tools Before Encryption

Arctic Wolf Labs reported on June 30, 2026 that Anubis ransomware intrusions investigated since the start of 2026 used a mix of valid VPN credentials, exploitation of CitrixBleed 2, RDP movement, credential access, remote management software, tunnels, and cloud-transfer utilities before encryption.

Jul 1
Arctic Wolf

From CitrixBleed 2 to Cloudflared: The Tools and Techniques Behind Anubis Ransomware Attacks - Arctic Wolf

Since the start of 2026, Arctic Wolf has investigated Anubis ransomware intrusions involving both valid VPN credential use and exploitation of CitrixBleed 2 (CVE-2025-5777), expanding known initial access tradecraft associated with this ransomware brand.

May 11
Checkpoint Research

The State of Ransomware - Q1 2026 - Check Point Research

Anubis stands apart from all other top-20 actors in its willingness to target healthcare (13.0%, +8.3 percentage points above baseline) and critical infrastructure (8.7%, +7.7 percentage points above baseline).

May 4
Polyswarm

Critical Condition: The 2026 Healthcare Cyber Threat Landscape

ANUBIS is a ransomware operation targeting mid-sized organizations using encryption-based payloads and extortion tactics.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.