Anubis Shows Why Ransomware Detection Has To Follow Legitimate Access
The latest Citrix Bleed 2 reporting is less about one edge flaw than a familiar chain: valid sessions, RMM tools, credential access, cloud transfer, and pressure before encryption.
The latest Citrix Bleed 2 reporting is less about one edge flaw than a familiar chain: valid sessions, RMM tools, credential access, cloud transfer, and pressure before encryption.
Anubis is a useful ransomware story because the scary part is not exotic malware.
The sharper signal is that the intrusion path looks like normal administration until enough pieces line up: an exposed edge appliance, a valid VPN login, remote desktop movement, PsExec service creation, remote management tools, credential access, cloud-transfer utilities, and then ransomware pressure.
The attack does not need to look strange at the tool level. It needs to look coherent at the chain level.
The Hacker News, citing Arctic Wolf research, reports that Anubis affiliates have exploited Citrix Bleed 2, tracked as CVE-2025-5777, while also using valid VPN credentials in observed intrusions. From there, the activity moved through RDP, SMB, PsExec, legitimate remote monitoring and management tooling, and cloud-transfer utilities before ransomware deployment.
That is the part defenders should sit with.
The Edge Flaw Is Only The Opening
Citrix Bleed 2 matters because it sits at the edge of the environment.
The flaw affects Citrix NetScaler ADC and Gateway when configured as a Gateway or AAA virtual server, and The Hacker News describes it as a critical issue that can be abused to bypass authentication in affected configurations. Arctic Wolf has separately published mitigation guidance for Citrix Bleed 2, including upgrade guidance and session-termination considerations.
But the Anubis reporting should not be read as a single-vulnerability story.
Arctic Wolf observed two broad access patterns in the intrusions summarized by The Hacker News: exploitation of Citrix Bleed 2 and valid Cisco AnyConnect VPN logins from hosting networks. The source of those VPN credentials was not confirmed in the reporting. The possibilities named include prior compromise, initial access brokers, credential stuffing, or information-stealer activity.
That uncertainty is important. Response cannot stop at "was the appliance patched?"
If a session token, credential, or VPN account was already useful to the attacker, patching the edge is necessary but incomplete. The live question becomes which sessions, identities, and remote access paths are still trusted because nobody has forced them to prove themselves again.
RMM Abuse Is The Camouflage
Once inside, Anubis affiliates did not need every step to be custom.
The Hacker News reports that affiliates abused legitimate remote access and administration tools, including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment. Those tools can be normal in an enterprise. That is exactly why they are useful.
RDP and SMB activity led into credential access, PsExec service creation, RMM deployment, and cloud-transfer tooling. In selected intrusions, attackers also configured Cloudflare Tunnel, or cloudflared, to establish tunnels into victim environments.
The defensive problem is not "block all remote administration." Most organizations cannot do that.
The defensive problem is knowing which remote administration is expected, who introduced it, where it is allowed to run, and what else happened around the same time.
An RMM install on its own may be explainable. RMM appearing after unusual VPN authentication, followed by credential access, PsExec activity, data staging, and cloud-transfer utilities, is a different signal.
That is where ransomware detection has to move: away from single-tool suspicion and toward sequence-aware control.
Credentials Become The Blast Radius
The Anubis reporting keeps returning to credentials because credentials are what turn access into scope.
After initial access and lateral movement, attackers gathered credentials to deepen the compromise. The Hacker News lists tools such as S3 Browser, rclone, s5cmd, WinSCP, and PuTTY as data-transfer or exfiltration tooling observed before ransomware deployment.
Those names are not automatically malicious. In many environments, they are routine enough to hide in noise.
The practical question is whether they appeared on the wrong host, under the wrong identity, at the wrong time, moving toward the wrong destination, after an access pattern that already looked abnormal.
The report also notes steps taken to impair defenses and complicate analysis, including Windows Defender real-time protection disablement, SophosUninstall activity, PCHunter-related artifacts, and log clearing or manipulation across systems. In at least one intrusion, an Anubis encryptor was deleted after execution, reducing on-disk evidence for later analysis.
That makes log preservation part of containment, not paperwork after the incident.
If the attacker is clearing the trail while staging data and preparing encryption, delayed evidence handling narrows the investigation window.
The Wiper Changes The Negotiation Pressure
Anubis is not only another affiliate ransomware name.
The Hacker News describes Anubis as a ransomware-as-a-service operation that emerged in late 2024 as a rebrand of Sphinx and was formally announced on the RAMP underground forum in February 2025. It also cites Ransomware.Live data showing 91 claimed victims, with 11 reported in June 2026, and notes that more than half were in the United States.
The operational pressure is sharpened by the wiper feature previously described by Rubrik Zero Labs and summarized in The Hacker News. When the Anubis `/WIPEMODE` module is activated, files remain in directories but are reduced to zero-byte files, according to that reporting.
The point is not to dramatize the payload. The point is that recovery assumptions change when an operator can combine data theft, encryption, and destructive pressure.
Backups, identity resets, evidence preservation, and communications readiness all have to be ready before the ransom note. If the organization discovers the chain only at encryption time, it is already negotiating from a worse position.
The Control Move Is Boring And Hard
The useful response to this report is not a new panic project. It is disciplined control over the access paths ransomware affiliates are already using.
Patch and verify NetScaler exposure. Terminate and re-establish relevant sessions where guidance calls for it. Review VPN authentication from hosting networks and unfamiliar geography. Rotate credentials tied to suspicious remote access. Restrict RDP, SMB, and PsExec use to known administrative paths. Inventory RMM tools and remove anything unauthorized. Preserve logs early. Review cloud-transfer activity on servers that should not be staging data. Rebuild affected hosts from trusted baselines when compromise is confirmed.
None of that is glamorous. It is also where this class of ransomware becomes visible.
Citrix Bleed 2 is the headline because edge flaws create urgency. Anubis is the more durable lesson because the chain after entry is familiar, legitimate-looking, and repeatable.
That is the uncomfortable shape of modern ransomware: less cinematic malware, more borrowed administration.






