Arctic Wolf detailed how affiliates of the Anubis ransomware group break in and stay hidden, drawing on intrusions across healthcare, finance, and manufacturing this year. Initial access came from stolen VPN credentials and from exploiting CitrixBleed 2, a NetScaler flaw that leaks session tokens from memory and lets attackers bypass multi-factor authentication. Once inside, the affiliates leaned on legitimate remote-management software such as ScreenConnect, Zoho Assist, and MeshAgent to blend in with normal IT activity, moving through networks with RDP and PsExec toward domain controllers, backups, and storage devices. They stole data using common cloud-transfer tools before encrypting anything, which is exactly where defenders have the best chance to catch them.