← All articles

Anubis ransomware hides in legitimate remote-management tools after breaching via Citrix

Arctic Wolf detailed how affiliates of the Anubis ransomware group break in and stay hidden, drawing on intrusions across healthcare, finance, and manufacturing this year. Initial access came from stolen VPN credentials and from exploiting CitrixBleed 2, a NetScaler flaw that leaks session tokens from memory and lets attackers bypass multi-factor authentication. Once inside, the affiliates leaned on legitimate remote-management software such as ScreenConnect, Zoho Assist, and MeshAgent to blend in with normal IT activity, moving through networks with RDP and PsExec toward domain controllers, backups, and storage devices. They stole data using common cloud-transfer tools before encrypting anything, which is exactly where defenders have the best chance to catch them.

Check
Patch NetScaler against CitrixBleed 2 and terminate all active sessions afterward, then audit your environment for remote-management tools like ScreenConnect, Zoho Assist, or MeshAgent that IT did not deploy.
Affected
Organizations running unpatched Citrix NetScaler Gateways or reusable VPN credentials; Anubis affiliates use these to get in, then hide inside legitimate remote-management tools while stealing data ahead of encryption.
Fix
Patch CitrixBleed 2 and kill existing sessions, enforce phishing-resistant MFA on VPNs, allowlist approved remote-management tools and alert on any others, and watch for RMM installs and exfiltration tools clustering together.