Arctic Wolf found that Anubis ransomware affiliates used valid VPN credentials and exploited CitrixBleed 2 (CVE-2025-5777) to gain initial access, then relied on legitimate RMM tools, RDP, PsExec, and tunneling utilities to move through victim networks and maintain persistence. The campaign targeted critical infrastructure such as domain controllers, hypervisors, backup systems, and NAS devices, with exfiltration and defense evasion often occurring before Anubis encryption began. #Anubis #CitrixBleed2 #CVE20255777 #ScreenConnect #ZohoAssist #MeshAgent #cloudflared
Keypoints
- Anubis intrusions began with valid VPN logins or exploitation of CitrixBleed 2.
- Threat actors used RDP and PsExec for hands-on-keyboard lateral movement.
- Legitimate RMM tools like ScreenConnect, Zoho Assist, and MeshAgent were abused for persistence.
- Attackers targeted domain controllers, hypervisors, backup systems, and NAS devices.
- Exfiltration and tunneling tools such as cloudflared, rclone, and s5cmd supported pre-encryption activity.