At a glance: Anubis attackers leverage legitimate IT tools and predictable attack patterns to infiltrate networks and prepare ransomware execution, but thereby provide organizations with detection opportunities through behavioral monitoring before encryption occurs.
Arctic Wolf Labs has analyzed the attack patterns of the Anubis ransomware group and demonstrates that the attackers do not rely on exploit kits or novel malware, but instead abuse legitimate administrative tools such as ScreenConnect, Zoho Assist, and Remote Desktop to maintain persistent network presence and escalate their privileges before executing the actual encryption.
The analysis is based on incident response investigations spanning roughly six months. The findings show that Anubis affiliates preferentially gain access through two vectors: the CitrixBleed 2 vulnerability (CVE-2025-5777) or through valid VPN credentials obtained from prior compromises or data leaks.
Once established on the network, the attackers initially operate inconspicuously and gradually escalate privileges. In contrast to massive malware campaigns, they rely on established remote administration tools: ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment. The use of this legitimate software significantly hampers detection, since such tools are everyday operational resources in many organizations. The critical factor is not any single program, but the unusual sequence and concentration of activities.
Reconnaissance targets typically include critical infrastructure elements such as Microsoft Remote Desktop servers, domain controllers, hypervisors, backup systems, and NAS storage. In parallel, the attackers attempt to establish alternative communication channels—through cloudflared, authenticated proxies, or SSH-based SOCKS tunneling. These measures aim to obscure their activities, complicate incident response, and impede recovery.
For CISOs, the predictability of the attack chain offers detection potential: Anubis affiliates follow proven but standardized procedures. Modern defensive strategies should not rely solely on malware signatures, but continuously monitor for suspicious login attempts, unusual remote administration activity, and anomalous lateral movement within the network.
Source: www.it-daily.net · Published 3 July 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 of the EU AI Act. Paraphrasing and classification through Lumi News Pipeline v1.7.2.