Anubis Ransomware 2026: CitrixBleed 2, RMM Tool Abuse, and the Affiliate Tradecraft That Keeps Ransomware Alive + Video

Listen to this Post

Featured Image

Introduction:

The Anubis ransomware-as-a-service (RaaS) operation—a rebrand of the Sphinx ransomware that emerged in late 2024 and formally launched its affiliate program on the RAMP underground forum in February 2025—has been observed in a series of 2026 intrusions that are less about novel malware and more about a repeatable, modular playbook. According to Arctic Wolf researchers, Anubis affiliates are combining VPN credential abuse and exploitation of the critical CitrixBleed 2 vulnerability (CVE-2025-5777, CVSS 9.3) with legitimate administrative tools, credential theft, tunneling, exfiltration utilities, and security-control tampering to move from initial access to extortion. Understanding this affiliate tradecraft is essential for threat hunters and defenders aiming to detect and disrupt these attacks before they escalate to ransomware deployment.

Learning Objectives:

  • Understand the complete Anubis ransomware attack chain—from initial access via CitrixBleed 2 or valid VPN credentials to lateral movement, credential theft, data exfiltration, and encryption.
  • Identify and hunt for indicators of compromise (IoCs) associated with legitimate RMM tool abuse, tunneling setups, and cloud exfiltration utilities.
  • Implement practical detection, mitigation, and response strategies—including specific Linux/Windows commands and configuration hardening steps—to defend against Anubis and similar affiliate-driven ransomware operations.
  1. Initial Access: CitrixBleed 2 Exploitation and Valid VPN Credential Abuse

Anubis affiliates gain initial access through one of two primary paths. The first is exploitation of CVE-2025-5777, commonly referred to as CitrixBleed 2—a memory overread vulnerability in Citrix NetScaler ADC and Gateway that allows unauthenticated attackers to extract session tokens from memory, effectively bypassing multi-factor authentication and hijacking active web sessions. The second path involves the use of valid VPN credentials—often procured from initial access brokers (IABs), credential stuffing, or information stealer activity—with suspicious authentication observed originating from VPS or hosting-provider infrastructure such as AS20473 (The Constant Company) and AS55286 (ServerMania).

Step‑by‑step guide: Detecting CitrixBleed 2 exploitation and suspicious VPN logins

  1. Check for CitrixBleed 2 exploitation indicators—even if you have patched. Review NetScaler HTTP access logs for anomalous POST requests to `/cgi-bin/` or `/vpn/` endpoints that lack proper authentication parameters. Use the following `grep` command on Linux to search for suspicious patterns:
    grep -E "POST /(cgi-bin|vpn)/.login=" /var/log/netscaler/httperror.log | grep -v "login="
    

    According to security researchers, the vulnerability stems from improper handling of the `login=` parameter in POST requests—if the equals sign is missing, the device may inadvertently disclose 127 bytes of memory contents.

  2. Audit VPN authentication logs for anomalies, including logins from hosting ASNs, off-hours access, and concurrent sessions from disparate geographic locations. On Windows, use PowerShell to extract authentication events from the Security log:

    Get-WinEvent -LogName Security | Where-Object { $<em>.Id -eq 4624 -and $</em>.Message -match "VPN" } | Select-Object TimeCreated, Message
    

  3. Revoke active VPN sessions and rotate potentially exposed credentials immediately. On Cisco AnyConnect, administrators can use the following command to terminate active sessions:

    clear vpn-sessiondb anyconnect
    

  4. Enforce MFA for all remote access solutions and monitor for MFA bypass attempts—CitrixBleed 2 specifically enables attackers to hijack sessions without ever presenting an MFA challenge.

  5. Remote Access, Lateral Movement, and RMM Tool Abuse

After authentication, attackers gain interactive access through SSL VPN or Cisco AnyConnect into the victim environment, then move across the network using RDP and SMB—targeting file servers, domain controllers, hypervisors, and backup infrastructure. What makes Anubis particularly difficult to detect is the deployment of legitimate Remote Monitoring and Management (RMM) tools, including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, mRemoteNG, and Total Software Deployment. These tools allow attackers to blend in with normal IT activity while maintaining persistent control.

Step‑by‑step guide: Hunting for unauthorized RMM tool deployment

  1. Create an inventory of approved RMM tools within your organization and baseline their normal usage patterns. Any RMM installation outside of approved change management procedures should trigger an alert.

  2. Monitor for RMM installer downloads from suspicious domains. In one observed case, a ScreenConnect installer was downloaded from azuremicrosoft[.]us—a domain deliberately crafted to resemble Microsoft infrastructure. Use network proxy logs or EDR telemetry to detect such downloads:

    grep -E "(ScreenConnect|Zoho|MeshAgent|UltraVNC|mRemoteNG)" /var/log/proxy/access.log
    

  3. Detect RMM tool execution via process creation events. On Windows, use Sysmon or Windows Event Logs (Event ID 4688) to track process creation:

    Get-WinEvent -LogName Security -FilterXPath "[System[EventID=4688]]" | Where-Object { $_.Properties[bash].Value -match "ScreenConnect|Zoho|MeshAgent|UltraVNC" }
    

  4. Look for RMM tools configured with external C2—many RMM solutions allow connection to cloud-based consoles. Review the configuration files of these tools for unauthorized external endpoints.

3. Credential Access and Privilege Escalation

Anubis affiliates use a variety of credential theft techniques, including Mimikatz, browser password exports, and Active Directory database (ntds.dit) access to expand credential compromise. This allows attackers to move laterally and gain access to domain controllers, hypervisors, and backup infrastructure.

Step‑by‑step guide: Detecting and preventing credential theft

  1. Monitor for Mimikatz execution using the following Sigma-like rule or EDR detection logic:
    detection:
    selection:</li>
    </ol>
    
    - Image|endswith: '\mimikatz.exe'
    - CommandLine|contains: 'sekurlsa::logonpasswords'
    - CommandLine|contains: 'lsadump::dcsync'
    condition: selection
    
    1. Detect ntds.dit access—attackers often use `vssadmin` to create shadow copies and extract the Active Directory database. Monitor for the following command patterns:
      vssadmin create shadow /for=C:
      copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\Windows\NTDS\ntds.dit C:\temp\
      

    2. Harden LSASS to prevent credential dumping. On Windows, enable Windows Defender Credential Guard:

      Enable-WindowsOptionalFeature -Online -FeatureName "CredentialGuard"
      

    3. Monitor for suspicious `ntds.dit` file access via Windows Event Logs (4663) or EDR telemetry.

    4. Tunneling, Proxying, and Data Exfiltration

    Attackers configure tunnels and proxies to maintain covert access and exfiltrate sensitive data. Observed techniques include Cloudflare Tunnel (cloudflared), authenticated HTTP proxies, and SSH-based SOCKS forwarding. For data exfiltration, Anubis affiliates deploy a suite of legitimate cloud-transfer tools, including S3 Browser, rclone, s5cmd, WinSCP, and PuTTY. Rclone is particularly prevalent—appearing in 57% of ransomware incidents.

    Step‑by‑step guide: Detecting unauthorized tunneling and exfiltration

    1. Monitor for Cloudflare Tunnel (cloudflared) execution:

    ps aux | grep cloudflared
    

    On Windows, use:

    Get-Process -1ame cloudflared -ErrorAction SilentlyContinue
    
    1. Detect SSH tunneling by monitoring for SSH commands with the `-D` (dynamic port forwarding) or `-L` (local port forwarding) flags:
      grep -E "ssh.-D [0-9]{4,5}" /var/log/auth.log
      

    2. Monitor for cloud exfiltration tools—specifically rclone, s5cmd, and S3 Browser. On Linux, use auditd to track execution:

      auditctl -w /usr/bin/rclone -p x -k exfiltration
      auditctl -w /usr/bin/s5cmd -p x -k exfiltration
      

    3. Analyze outbound network traffic for large data transfers to cloud storage providers. Use NetFlow or Zeek to detect unusual spikes in outbound traffic:

      zeek -r capture.pcap -s /path/to/cloud-ip-list.txt
      

    5. Defense Evasion: Tampering with Security Controls

    Before deploying the ransomware encryptor, attackers take deliberate steps to impair system defenses and complicate post-incident analysis. This includes Windows Defender real-time protection disablement, SophosUninstall activity, PCHunter-related artifacts, and log clearing or manipulation.

    Step‑by‑step guide: Detecting and preventing defense evasion

    1. Monitor for Windows Defender disablement:

    Get-MpPreference | Select-Object DisableRealtimeMonitoring
    

    Detect registry changes that disable Defender:

    Get-ChildItem -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse
    
    1. Detect log clearing events—Event ID 1102 (audit log cleared) and 104 (system log cleared) are critical indicators:
      Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 1102 }
      

    2. Monitor for PCHunter—a kernel-level rootkit detection tool that can also be abused for defense evasion. Look for `PCHunter.exe` or `PCHunter64.exe` execution.

    3. Deploy EDR/XDR solutions that can detect and block tampering attempts in real time.

    6. Ransomware Deployment: Windows and Linux Encryption

    Anubis encryptors are deployed on both Windows and Linux systems. Encrypted files are renamed with the `.anubis` extension, and ransom notes are named RESTORE FILES.html. The ransomware uses ECIES (Elliptic Curve Integrated Encryption Scheme) for protecting encryption keys and is coded in Go. A particularly devastating feature is the `/WIPEMODE` module, which reduces files to 0 KB size—making recovery impossible regardless of ransom payment.

    Step‑by‑step guide: Responding to Anubis ransomware deployment

    1. Immediately isolate affected systems to prevent further spread.

    2. Look for the `.anubis` extension and `RESTORE FILES.html` ransom notes across file shares.

    3. Check for volume shadow copy deletion—Anubis attempts to delete shadow copies to prevent recovery:

      vssadmin list shadows
      

    4. Restore from immutable backups—Anubis’s wiper feature makes on-site recovery nearly impossible.

    What Undercode Say:

    • Attackers don’t need novel malware—they need a repeatable playbook. Anubis affiliates are not relying on sophisticated zero-days beyond the initial CitrixBleed 2 exploit; instead, they combine legitimate tools, native Windows features, and hands-on-keyboard procedures that, in isolation, resemble normal IT administration.

    • Visibility is the missing piece. Organizations must shift from signature-based detection to behavioral threat hunting—monitoring for the chain of activities (VPN login → RDP/SMB → RMM deployment → credential theft → exfiltration → encryption) rather than individual alerts.

    • MFA is not a silver bullet. CitrixBleed 2 enables attackers to hijack active sessions and bypass MFA entirely. Organizations must combine MFA with session anomaly detection and immediate revocation of suspicious sessions.

    • RMM tools are the new backdoor. Legitimate RMM solutions are trusted by security tools and blend into normal operations. Hunt for unauthorized RMM installations and monitor their configuration for external C2 endpoints.

    • The wiper changes the economics. Anubis’s `/WIPEMODE` feature creates a scorched-earth scenario that pressures victims to pay before the wiper is activated. Defenders must prioritize immutable, offline backups and rapid incident response.

    • Affiliate models scale threats. Anubis offers affiliates 80% of ransom payments, 24/7 support, and legal negotiation assistance. This RaaS model lowers the barrier to entry for cybercriminals and increases the frequency and diversity of attacks.

    Prediction:

    • +1 The commoditization of ransomware through RaaS models like Anubis will accelerate the adoption of zero-trust architectures and identity-centric security, forcing organizations to finally prioritize proactive threat hunting over reactive patching.

    • -1 The exploitation of CVE-2025-5777 will continue for months, if not years, as many organizations fail to patch or misconfigure their NetScaler appliances—mirroring the original CitrixBleed (CVE-2023-4966) which remained widely exploited long after patches were available.

    • -1 The abuse of legitimate RMM tools will become the new normal for ransomware affiliates, making detection significantly harder and increasing the average dwell time from initial access to encryption.

    • +1 Threat intelligence sharing and community-driven detection rules (e.g., Sigma, YARA) will improve, enabling defenders to hunt for Anubis tradecraft more effectively—but only if organizations invest in the necessary staffing and tooling.

    • -1 The wiper functionality in Anubis signals a dangerous trend: ransomware groups may increasingly prioritize data destruction over encryption, reducing the viability of ransom payment as a recovery strategy and potentially leading to permanent data loss for unprepared organizations.

    ▶️ Related Video (76% Match):

    https://www.youtube.com/watch?v=24dfe8q7Aq4

    🎯Let’s Practice For Free:

    🎓 Live Courses & Certifications:

    Join Undercode Academy for Verified Certifications

    🚀 Request a Custom Project:

    Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
    [email protected]
    💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

    IT/Security Reporter URL:

    Reported By: Flavioqueiroz Anubis – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky