3 min Security

Anubis ransomware exploits CitrixBleed 2 and RMM tools

Anubis ransomware exploits CitrixBleed 2 and RMM tools

Since early 2026, Arctic Wolf has investigated multiple breaches carried out using the Anubis ransomware. The attackers combined stolen VPN credentials and exploitation of CitrixBleed 2 (CVE-2025-5777) with the misuse of legitimate RMM tools. This allowed them to remain under the radar until they encrypted data.

Many characteristics of Anubis are common among Ransomware-as-a-Service (RaaS) groups. Researchers at Arctic Wolf Labs describe a typical affiliate model, (attempted) data theft, encryption of this data, and remote wiper functionality.

Until late 2024, Anubis was known as Sphinx. In February 2025, Anubis was registered on the RAMP (Ransomware and Advanced Malware Protection) forum on the dark web. Anubis has since become a “multi-platform, multi-affiliate ecosystem,” according to the researchers. There have reportedly been 83 victims so far.

What stands out about the research is that there is no new, exotic malware involved. Instead, the affiliates rely on a practical mix of commercial tools, built-in Windows functionality, and other familiar manifestations of “regular” behavior within compromised IT environments. Taken in isolation, much of this behavior resembles standard IT management. Only when viewed as a chain does the pattern become visible, but by then, it is often already too late.

Two paths of entry

According to Arctic Wolf, initial access fell into two categories: the use of valid VPN credentials and the exploitation of vulnerabilities such as CitrixBleed 2. The latter, registered as CVE-2025-5777, is a pre-authentication vulnerability in NetScaler devices. It allows attackers to leak session tokens from memory and thus bypass multi-factor authentication (MFA).

We reported as early as mid-2025 that the flaw was easy to exploit via seemingly simple login requests. It later emerged that the vulnerability had already been exploited as a zero-day before Citrix publicly disclosed the flaw. In addition to Citrix exploitation, Arctic Wolf also observed valid Cisco AnyConnect logins originating from hosting ASNs.

Hiding among management software

Once inside, the attackers moved laterally via RDP and PsExec, targeting domain controllers, hypervisors, backup systems, and NAS devices. The most notable pattern is the use of legitimate RMM tools to maintain persistent access. Examples include ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment.

In one instance, a ScreenConnect installer was downloaded from the domain azuremicrosoft[.]us, which was deliberately made to resemble Microsoft infrastructure. Mimikatz was frequently used to obtain credentials, alongside exports of browser passwords and access to the Active Directory database ntds.dit. Encryption began less than an hour after that database was read.

Tunnels and exfiltration

In some breaches, the attackers attempted to set up alternative outbound routes using Cloudflare, authenticated proxies, and SSH-based SOCKS tunneling. On a Synology NAS, they created their own administrator account and configured a Cloudflare Tunnel, although the logs do not confirm that the tunnel was actually working. Tools such as S3 Browser, rclone, s5cmd, WinSCP, and PuTTY were used for exfiltration.

Arctic Wolf naturally recommends that organizations patch CVE-2025-5777 immediately and terminate all active sessions after patching. In addition, the company recommends auditing RMM installations and blocking known malicious infrastructure such as azuremicrosoft[.]us and promotds[.]us. According to the researchers, the best opportunities for detection lie before encryption, when authentication anomalies, RMM deployment, and exfiltration tools begin to cluster around the same hosts.