Anubis Ransomware Hits 91 Victims: Citrix Bleed 2 Bypasses MFA Before Encryption | #ransomware | #cybercrime


A ransomware operation that emerged barely 19 months ago has claimed 91 victims — 11 of them in June 2026 alone — by exploiting a critical pre-authentication vulnerability in Citrix NetScaler appliances to steal session tokens without ever touching a user’s password, then hiding its persistence inside the same commercial remote management tools that IT teams use every day. Defenders who patch CVE-2025-5777 and consider the job finished are still at risk: tokens extracted before the patch was applied remain valid until explicitly revoked, and no antivirus signature flags a legitimate ScreenConnect installer.

Arctic Wolf Labs published its full investigation of the Anubis ransomware-as-a-service operation on July 1, 2026, documenting intrusions across healthcare, financial services, manufacturing, and technology sectors throughout this year. The report named six commercial remote monitoring and management (RMM) tools — ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment — as the consistent post-intrusion foothold across every observed case. More than half of the 91 confirmed victims are US-based, with the remainder concentrated in the United Kingdom, Australia, France, and Canada.

How Citrix Bleed 2 Bypasses Every Authentication Control You Have

CVE-2025-5777, which researchers dubbed Citrix Bleed 2 in reference to the 2023 CVE-2023-4966 campaign that preceded it, is a pre-authentication memory disclosure vulnerability in Citrix NetScaler ADC and Gateway appliances. The flaw is present only when the appliance is configured as a Gateway — VPN virtual server, ICA Proxy, CVPN, or RDP Proxy — or as an AAA virtual server. Default configurations are unaffected; the subset of exposed appliances is narrower than the full NetScaler population, but the attack surface remained large. Internet scanning firm Censys documented 69,237 exposed instances at the time of disclosure in June 2025, and threat intelligence firm Imperva recorded more than 11.5 million attack attempts targeting the flaw, with 39.1% aimed at the financial services industry.

The exploitation mechanism does not require guessing a password, bypassing a CAPTCHA, or fooling a user. An attacker sends a crafted HTTP POST request to the appliance’s authentication endpoint. Because of insufficient input validation in the authentication handler, the appliance returns an XML response containing approximately 127 bytes of uninitialized stack memory — memory that frequently holds active session tokens belonging to currently-logged-in users. The attacker replays the stolen token against the Gateway portal and assumes that user’s authenticated session, including any multi-factor authentication clearance the user already provided. The token appears valid to the appliance because it is valid. No MFA challenge fires.

GreyNoise documented active exploitation beginning June 23, 2025, nearly two weeks before any public proof-of-concept was released. Security researcher Kevin Beaumont noted that one of the scanning IP addresses had previously been linked to RansomHub ransomware activity, suggesting opportunistic criminal operators found and weaponized the flaw with unusual speed. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on July 10, 2025, mandating that federal civilian agencies patch within 24 hours.

Citrix released fixed builds for NetScaler ADC and Gateway versions 14.1, 13.1, 13.1-FIPS, and 13.1-NDcPP. Organizations running versions 12.1 and 13.0 — both End-of-Life as of 2025 — have no patch available and remain permanently vulnerable. Patching alone is not sufficient. Citrix’s official guidance requires administrators to kill all active sessions after applying the fix. An organization that patches the appliance but does not run the CLI commands kill icaconnection -all, kill pcoipConnection -all, and clear aaa session -all may still have active sessions in memory that were established by an attacker who exploited the flaw before the patch was applied. In the intrusions Arctic Wolf documented, attackers exploiting CVE-2025-5777 consistently operated from IP addresses associated with virtual private server hosting providers — a distinctive fingerprint, since legitimate employee VPN logins almost always originate from residential or business broadband addresses.

Anubis: What 91 Claimed Victims Reveal About the Operation

Anubis emerged in December 2024 as a rebrand of Sphinx ransomware — a rebranding signaled by the change in encrypted file extension from .sphinx to .anubis. The group formally announced its affiliate program on the RAMP (Ransomware and Advanced Malware Protection) criminal underground forum on February 23, 2025, and has since expanded into what Arctic Wolf described as a multi-platform, multi-affiliate ecosystem capable of encrypting both Windows and Linux systems.

The operation’s affiliate terms are unusually attractive by ransomware market standards. Rubrik Zero Labs documented in a July 2025 report that Anubis offers affiliates 80% of ransom payments — above the 70/30 split typical of most ransomware-as-a-service programs — and pairs that offer with an optional destructive wiper module. When the /WIPEMODE command is activated, files remain in their directories but their contents are reduced to zero bytes regardless of whether the victim has paid a ransom or is in active negotiation. Rubrik noted that “knowing threat actors can revert victims’ environments to this scorched-earth state with a single command significantly increases pressure on victims to pay before the wiper is fully activated.”

The 91 victims publicly listed on Anubis’s data leak site almost certainly undercount the true impact. Victims who pay a ransom without their name ever appearing on the leak site are not included in that figure, and the healthcare sector — where Anubis has concentrated roughly half its activity — faces the additional pressure that operational disruption directly affects patient care. Comparitech tracking identified 35 confirmed Anubis attacks in 2026 as of early June 2026, 17 of them against US healthcare entities. Among documented victims, Singing River Health System in Mississippi confirmed in February 2026 that a December 2025 breach affected approximately 53,888 patients, exposing Social Security numbers, dates of birth, treatment records, medication lists, and bank account information. The attack was the network’s second ransomware breach in two years. In April 2026, Anubis claimed to have stolen two terabytes of patient data from Massachusetts-based Signature Healthcare, then removed the victim from its leak site — a pattern that typically indicates ransom negotiation.

When Your IT Tools Become the Attacker’s Camouflage

The most operationally significant finding in Arctic Wolf’s report is not the Citrix vulnerability — that is a known exploitable CVE with a patch and a CISA mandate. The finding that demands structural attention is the systematic weaponization of legitimate commercial RMM software to create persistence that is nearly indistinguishable from routine IT activity.

In every intrusion Arctic Wolf reviewed, affiliates installed one or more of the following tools shortly after gaining initial access: ScreenConnect (ConnectWise), Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment. Each of these products is sold to enterprise IT teams for legitimate purposes. Each provides the same functional capabilities an attacker needs for persistent access: remote desktop, file transfer, remote code execution, and service-based persistence. And each, by default, is trusted by enterprise security configurations that allowlist known commercial software vendors.

In the Anubis intrusions, ScreenConnect communicated with relay infrastructure at relay.promotds[.]us — a domain crafted to resemble Microsoft infrastructure. Its installer was downloaded from azuremicrosoft[.]us, a typosquatted domain designed to deceive both automated security tools and human analysts reviewing proxy logs. Zoho Assist artifacts appeared across multiple systems simultaneously in single environments. MeshAgent was deployed under disguised filenames — mvtcs.exe and sysagent.exe — with persistence reinforced by a scheduled task named MeshUserTask. Total Software Deployment was used to push agents across multiple hosts at once, producing service-installation telemetry that a defender could plausibly mistake for authorized software deployment.

The detection principle Arctic Wolf identified applies beyond Anubis: no legitimate IT team deploys multiple competing remote management platforms within the same short timeframe. ScreenConnect and Zoho Assist and MeshAgent appearing in the same environment within hours of each other is not a routine IT workflow. Organizations that monitor for this pattern specifically — the rapid installation of multiple RMM tools, especially when those installations cluster around unusual authentication events or VPN logins from hosting-provider IP ranges — can intervene before the encryptor stages.

Arctic Wolf’s conclusion deserves emphasis: “The most important defensive pattern is not any single indicator or tool, but the sequence of activity: suspicious remote access → unusual RDP or SMB movement → unauthorized RMM deployment → credential access → security control tampering → exfiltration tooling → staged ransomware execution.”

Kernel-Level Evasion: How Anubis Shuts Down Your Security Before Encryption

Before deploying the Anubis encryptor, affiliates worked to disable the endpoint defenses that would detect it. Arctic Wolf documented PCHunter artifacts across multiple intrusions. PCHunter is a kernel-level inspection tool commonly used in Bring Your Own Vulnerable Driver (BYOVD) attacks to interact with Ring-0 kernel structures, terminate protected endpoint detection and response (EDR) processes, and disable telemetry. Standard EDR tamper-protection operates at user-mode privilege level and cannot prevent an attacker who has already reached Ring-0.

The evasion activity Arctic Wolf documented was consistent across intrusions: Windows Defender real-time protection was disabled, Sophos endpoint agents faced uninstallation attempts using SophosUninstall, and event logs across System, PowerShell, Task Scheduler, AppLocker, and Windows Defender log channels were cleared or manipulated. In at least one documented intrusion, the Anubis encryptor binary itself was deleted after execution, removing the primary on-disk artifact an incident responder would look for.

Active Directory credential theft followed a predictable pattern. Mimikatz was staged in user-accessible directories — C:UsersPublicVideosmimikatz.exe and similar paths. Files explicitly named Chrome Passwords.csv and Microsoft Edge Passwords.csv appeared in multiple intrusion environments, consistent with manual export of saved browser credentials rather than in-memory extraction — a technique that captures VPN credentials, cloud portal access, and SaaS application passwords alongside domain credentials. Most critically, copies of the Active Directory ntds.dit database were created under C:auditActive Directoryntds.dit and archived immediately. In at least one intrusion, encryption began across the environment within an hour of the ntds.dit copy being saved — a sub-one-hour window that leaves almost no time for detection and response once that specific event occurs.

Supply Chain Credentials Add a Second Attack Path

Anubis affiliates also incorporated credentials harvested through software supply chain attacks — an initial access vector that is structurally distinct from exploiting a CVE because the credentials appear entirely legitimate. They were legitimately issued. The compromise happened upstream.

Sophos Counter Threat Unit published a concurrent investigation on July 3, 2026, documenting a formal partnership between criminal groups VECT and TeamPCP announced in March 2026. TeamPCP had, between March 19 and March 27, 2026, conducted cascading supply chain attacks against four widely-deployed security and developer tools: Aqua Security’s Trivy vulnerability scanner, Checkmarx KICS, the BerriAI LiteLLM AI gateway library (which handles roughly 96 million downloads monthly), and the Telnyx Python SDK. Malicious payloads injected into these tools’ CI/CD pipelines harvested cloud provider credentials, API keys, SSH keys, GitHub Personal Access Tokens, and Kubernetes secrets from any organization that ran the poisoned versions. The stolen credentials were then handed to VECT, which deployed ransomware against organizations compromised in those campaigns.

Sophos characterized the combined operation as representing “an unprecedented model of industrialized ransomware deployment that significantly lowers the barrier to entry for cybercrime.” Rafe Pilling, Sophos’s director of threat intelligence, noted that “the software development environment has quietly become one of the most consequential and least governed attack surfaces in the enterprise.” The FBI issued its own Flash alert on TeamPCP and its supply chain operations, warning that TeamPCP-sourced credentials should be treated as a persistent risk even after initial remediation, as affiliated threat actors may retain copies for months before using them.

The Anubis connection to this broader supply chain ecosystem means that organizations that used Trivy, Checkmarx KICS, LiteLLM, or the Telnyx Python SDK in their CI/CD pipelines during March 2026 and have not rotated all pipeline-accessible credentials should treat those environments as potentially pre-compromised — independent of whether they have ever run Citrix infrastructure.

How to Detect Anubis Before the Encryptor Runs

Arctic Wolf’s recommendations focus on detection before encryption, which remains the point at which defenders still have meaningful options.

Patch CVE-2025-5777 and kill all sessions. Organizations running Citrix NetScaler ADC or Gateway should verify patch status against the specific vulnerable builds documented in Citrix advisory CTX693420. After applying the patch, run the three session-termination commands on the NetScaler CLI: kill icaconnection -all, kill pcoipConnection -all, and clear aaa session -all. Patching without session termination leaves any tokens that were already extracted by an attacker in a valid, exploitable state.

Treat multiple simultaneous RMM installs as a high-severity event. Maintain a documented allowlist of approved remote management tools. Alert on any installation outside that list. Configure automated response to trigger when multiple distinct RMM products are installed within a short window on the same device — no legitimate IT operation does this. Block the two typosquatted domains at the network perimeter: azuremicrosoft[.]us and promotds[.]us. The complete IOC list, including file hashes, additional network indicators, and MITRE ATT&CK mappings, is publicly available in Arctic Wolf’s GitHub repository.

Segment backup, hypervisor, and NAS infrastructure. Anubis affiliates consistently targeted NAS devices, Hyper-V servers, and backup systems as both credential sources and encryption targets. Domain controller virtual disks accessible through Hyper-V storage can expose credential material if an attacker reaches the hypervisor management plane. These systems should be isolated from general-purpose endpoints, require multi-factor authentication for all administrative access, and generate alerts for any unusual interactive login.

Watch for ntds.dit access as a pre-encryption tripwire. The creation of an ntds.dit copy in a non-standard location — particularly under user-profile paths or audit directories — is one of the most reliable pre-encryption indicators in the Anubis chain. Organizations with active directory monitoring that fires on this specific file-creation event in user-writable directories have, in theory, a sub-one-hour window to contain the intrusion before encryption begins. In practice, that window requires automated response, not a human reviewing an alert queue.

Audit CI/CD pipeline credentials. Organizations that incorporated Trivy GitHub Actions, Checkmarx KICS, LiteLLM versions 1.82.7 or 1.82.8, or Telnyx Python SDK versions 4.87.1 or 4.87.2 into CI/CD pipelines during March 2026 should treat all cloud provider credentials, API keys, SSH keys, and GitHub tokens accessible in those pipelines as compromised and rotate them immediately, regardless of whether an Anubis-attributed intrusion has been confirmed. The Palo Alto Networks Unit42 analysis of TeamPCP supply chain attacks provides additional technical details on the credential-harvesting payloads and affected pipeline configurations.


Frequently Asked Questions

What is CVE-2025-5777 (Citrix Bleed 2) and why is it especially dangerous?

CVE-2025-5777 is a pre-authentication memory disclosure vulnerability in Citrix NetScaler ADC and Gateway appliances. It is “pre-authentication” in the most literal sense: an attacker does not need a username, a password, or any other credential to exploit it. By sending a crafted request to the authentication endpoint, the attacker receives uninitialized memory that frequently contains active session tokens from logged-in users. Those tokens can be replayed to impersonate legitimate users, including bypassing multi-factor authentication, because the appliance cannot distinguish a replayed valid token from the original session. CISA added it to its Known Exploited Vulnerabilities catalog in July 2025. The original Citrix Bleed (CVE-2023-4966) in 2023 was exploited at scale by dozens of ransomware groups before most organizations patched — the 2025 version follows an identical exploitation pattern.

Why does patching not fully solve the Citrix Bleed 2 problem?

Patching closes the hole in the appliance, so no new tokens can be extracted. But session tokens that were already stolen before the patch was applied remain valid indefinitely unless they are explicitly invalidated. An attacker who extracted a session token on Monday still controls a valid authenticated session on Friday even if the organization patched on Tuesday. Citrix’s remediation guidance requires administrators to run specific CLI commands that kill all active ICA connections, PCoIP connections, and AAA sessions after applying the firmware update. Organizations that skipped this step remain exposed to any tokens already in the hands of threat actors.

Why would ransomware attackers use legitimate IT software instead of custom malware?

Because enterprise security is largely built on the assumption that signed, commercial software from known vendors is safe. Antivirus and endpoint detection tools are tuned to flag unfamiliar executables, obfuscated scripts, and known malware signatures — not ScreenConnect or Zoho Assist, which are used daily by IT teams for legitimate remote support. By routing their persistence and remote access through commercial RMM tools, Anubis affiliates benefit from the same implicit trust enterprise configurations extend to those vendors. The detection shift this demands is behavioral, not signature-based: the signal is not the tool itself but the pattern — multiple competing RMM products installed within hours, on systems that were previously receiving unusual VPN login activity.

How do I check if my CI/CD pipelines were exposed in the TeamPCP supply chain attacks?

Organizations that used Aqua Security’s Trivy GitHub Actions, Checkmarx KICS, BerriAI LiteLLM (versions 1.82.7 or 1.82.8), or the Telnyx Python SDK (versions 4.87.1 or 4.87.2) between March 19 and March 27, 2026, should assume their pipeline-accessible credentials were harvested. Check your pipeline logs for use of those tool versions, audit your GitHub organization for unexpected repositories containing names like tpcp-docs or docs-tpcp (a secondary persistence mechanism TeamPCP used), and rotate all secrets accessible from the affected runner environments — including cloud provider tokens, API keys, and Kubernetes service account credentials. The FBI’s Flash alert on TeamPCP provides additional indicators of compromise and recommended detection steps.



Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW