Arctic Wolf reported multiple 2026 intrusions tied to the Anubis ransomware-as-a-service operation in which affiliates gained initial access through abused VPN credentials and exploitation of CitrixBleed 2 (CVE-2025-5777) on NetScaler ADC and Gateway systems. The intrusions then progressed through lateral movement over RDP and SMB, credential harvesting, use of PsExec, and efforts to reduce security visibility before ransomware was deployed and files were encrypted with the .anubis extension.
Investigators said the attackers relied heavily on legitimate remote management, tunneling, and data-transfer tools during the pre-encryption phase, including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, Total Software Deployment, cloudflared, SSH tunnels, rclone, s5cmd, and S3 Browser. The activity shows Anubis affiliates blending living-off-the-land techniques with benign-looking administration software to stage data and maintain access, giving defenders an opportunity to detect attacks earlier by treating unusual clusters of remote-access, credential, tunneling, and cloud-transfer behavior as signs of compromise rather than routine IT activity.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Across multiple intrusions observed in 2026, affiliates of the Anubis ransomware-as-a-service operation gained initial access using valid VPN credentials and by exploiting CitrixBleed 2 (CVE-2025-5777) against NetScaler ADC and Gateway systems. Post-compromise activity included lateral movement via RDP and SMB, credential harvesting, use of legitimate RMM and tunneling tools, data staging, and eventual ransomware deployment.
On July 1, 2026, Arctic Wolf published a research blog describing the Anubis intrusions and highlighting recurring abuse of VPN infrastructure, exploitation of CitrixBleed 2, and use of legitimate RMM tools during pre-encryption phases. The report presented these behaviors as detection and containment opportunities for defenders.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.