MalwareRansomwareUsed by 1 actor

Anubis

Anubis is a name used in the provided content for multiple distinct malware families and operations. Most consistently, it refers to an Android banking trojan. In that role, Anubis is described as targeting financial applications, including 377 app variants across 93 countries, and stealing credentials through keylogging, screenshot capture, SMS interception for one-time passwords, and abuse of Android Accessibility Service. Reported Android capabilities include sending, receiving, and deleting SMS messages; stealing the device contact list; collecting the device ID; accessing contacts and location; recording audio; making calls; modifying external storage; and exfiltrating files encrypted by an onboard ransomware module. Infection vectors mentioned include malicious Android apps, including Google Play droppers named Currency Converter and BatterySaverMobi, fake system-update prompts that trick users into installing a payload APK, and broader malicious APK distribution. The dropper activity cited used motion-sensor-based anti-analysis, recovered command-and-control information from encoded Telegram and Twitter page requests, and was linked to the domain aserogeege.space and related infrastructure including IP 47.254.26.2. The content also notes infrastructure previously associated with the Anubis banking trojan at IP 185.141.62.123.

The content also uses Anubis to refer to a Python-based backdoor associated with FIN7/GrayAlpha. That Anubis backdoor is described as providing full system control via in-memory execution and using Base64-encoded communications with command-and-control infrastructure.

Separately, the content refers to an Anubis ransomware operation and ransomware-as-a-service program. This Anubis ransomware is described as using encryption and extortion tactics, targeting mid-sized organizations, and in one report supporting Windows, Linux, NAS, and ESXi x64/x32 environments, using ChaCha+ECIES, elevating privileges to NT AUTHORITY\SYSTEM, self-propagating encryption across a domain, and being managed through a web panel. Reported victimology in the content includes healthcare and critical infrastructure, with specific incidents involving Brockton Hospital/Signature Healthcare and a claimed theft of 170 GB of data from AkzoNobel. Because the provided material conflates these separate malware uses under the same name, attribution of any single capability to all "Anubis" references would be inaccurate.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

FIN7

In its most recent campaigns, FIN7 has been observed deploying the Python-based Anubis backdoor, which provides full system control via in-memory execution and communicates with its command-and-control infrastructure using Base64-encoded data.

via recorded future blogrecordedfuture.com

MITRE ATT&CK

Techniques & procedures

22 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques

T1189Drive-by CompromiseEvidence1

“This mechanism and similar techniques are the main implementation for the drive-by downloads typically associated with malvertising campaigns.”

T1566.001Spearphishing AttachmentEvidence1

Email attachments continue to be the most common delivery mechanism. These typically contain macros or embedded scripts that execute malware under the guise of legitimate business communication.

T1566.002Spearphishing LinkEvidence1

It will try and trick users into installing it with the fake system update seen in Figure 3.

Execution

2 techniques

T1129Shared ModulesEvidence1

It highlights something particularly relevant to packing/unpacking: the use of DexClassLoader, an Android class used to load DEX executables, and, in the case of unpacking, to load the unpacked DEX.

T1204User ExecutionEvidence1

“an instruction manual on how to override the device’s security settings in order to enable the installation of the malicious application.”

Persistence

1 technique

T1546.008Accessibility FeaturesEvidence1

The Anubis malware masquerades as a benign app, prompts the user to grant it accessibility rights, and also tries to steal account information.

Privilege Escalation

1 technique

T1546.008Accessibility FeaturesEvidence1

The Anubis malware masquerades as a benign app, prompts the user to grant it accessibility rights, and also tries to steal account information.

Stealth

6 techniques

T1027Obfuscated Files or InformationEvidence1

In the Android manifest, we quickly notice: 1. Names are obfuscated. That’s frequent with malware... notice the first line creates a variable which is not used: this is junk code, to make reversing complicated.

T1027.002Software PackingEvidence1

That path is not in the DEX. This typically indicates the sample is packed, and the manifest references names of an unpacked DEX that we need to recover.

T1036MasqueradingEvidence1

On May 1, 2020, a new version of Android BankBot (aka Anubis, Nautilus Bot) was spotted. The malware poses as an COVID-19 alert application.

T1140Deobfuscate/Decode Files or InformationEvidence1

We search in the APK and quickly spot a Pa.json among the assets. Unfortunately, it is not a DEX, nor a ZIP, but encrypted content. So, at some point the asset Pa.json is read, then decrypted, then loaded with DexClassLoader.

T1218.011Rundll32Evidence1

Based on the signature identifier ‘Trojan:Win64/IcedID.EI!MTB’ and loader’s execution using rundll32.exe with function scab /k accompanied by arguments such as besogon728 or pechene634 or haval462, it can be inferred that the Anubis botnet is in fact IcedID malware.

T1497Virtualization/Sandbox EvasionEvidence1

The malicious app monitors the user's steps through the device motion sensor. If it senses that the user and the device are not moving (if it lacks sensor data and thus, might be running in a sandbox environment), then the malicious code will not run.

Credential Access

3 techniques

T1056Input CaptureEvidence1

a copy of the Anubis banker Trojan ... intercepts and forwards the credentials for online financial transactions to criminals.

T1056.001KeyloggingEvidence1

It has a built-in keylogger that can simply steal a users’ account credentials by logging the keystrokes.

T1555Credentials from Password StoresEvidence1

These malware families are specifically designed to steal credentials related to banking platforms, financial services, and cryptocurrency exchanges.

Discovery

1 technique

T1497Virtualization/Sandbox EvasionEvidence1

Collection

4 techniques

T1005Data from Local SystemEvidence3

Our data shows that the latest version of Anubis has been distributed to 93 different countries and targets the users of 377 variations of financial apps to farm account details. We can also see that, if Anubis successfully runs, an attacker would gain access to contact lists as well as location.

T1056Input CaptureEvidence1

a copy of the Anubis banker Trojan ... intercepts and forwards the credentials for online financial transactions to criminals.

T1056.001KeyloggingEvidence1

It has a built-in keylogger that can simply steal a users’ account credentials by logging the keystrokes.

T1113Screen CaptureEvidence1

The malware can also take a screenshot of the infected users’ screen, which is another way to get the victims credentials.

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence3

T1071.001Web ProtocolsEvidence1

"...command-and-control communication..."

T1105Ingress Tool TransferEvidence3

If the malicious code runs, then the app will try to trick the users into downloading and installing its payload APK with a fake system update.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

SpyNote RAT can copy files from the device to the C2 server. ViceLeaker can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them. TriangleDB has collected and exfiltrated files.

Impact

1 technique

T1486Data Encrypted for ImpactEvidence3

Lynx is a ransomware group operating under a double extortion model, combining encryption with data exfiltration.

INDICATORS OF COMPROMISE

IOCs tracked for this family

31 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

16 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

14 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app2 months ago

ACTIVITY FEED

Recent activity

40 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

40 SOURCESView more in app

checkpoint research blogNews

May 11, 2026

The State of Ransomware - Q1 2026 - Check Point Research

A ransomware operation notable for targeting healthcare and critical infrastructure more readily than peer groups.

polyswarmNews

May 4, 2026

Critical Condition: The 2026 Healthcare Cyber Threat Landscape

Ransomware operation using encryption and extortion, observed disrupting healthcare providers.

data breaches netNews

Apr 11, 2026

Brockton Hospital still dealing with aftermath of ransomware attack - DataBreaches.Net

Ransomware operated as a Ransomware-as-a-Service platform that encrypted systems at Brockton Hospital / Signature Healthcare, disrupting patient care, diverting ambulances, and preventing prescription fulfillment.

risky biz rssNews

Mar 13, 2026

Another residential proxy provider falls as authorities continue crackdowns

A banking trojan codebase from which Falcon variants spun out.

+36 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching31

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping22

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.