Anubis ransomware affiliates are exploiting Citrix Bleed 2 (CVE-2025-5777) to break into corporate networks, according to a July 2026 report from Arctic Wolf. Once inside, the affiliates lean almost entirely on legitimate remote-management tools to blend in with normal IT activity, move laterally over RDP and PsExec, exfiltrate data with off-the-shelf cloud utilities, and in some cases trigger an irreversible wiper that zeroes files whether or not the ransom is paid. Anubis has claimed 91 victims on its leak site, 11 of them in June 2026 alone.
The campaign is a textbook example of the “live off the land” tradecraft defining ransomware in 2026: exploit an exposed edge appliance, then do everything else with tools that look like the victim’s own IT stack. That combination makes detection hard and forces defenders back to fundamentals. Here is how the intrusions run and what stops them.
Who is Anubis?
Anubis is a ransomware-as-a-service operation that first appeared in late 2024 as a rebrand of Sphinx ransomware and was formally announced on the RAMP underground forum in February 2025. Rubrik Zero Labs reported that Anubis advertises an aggressive 80% profit split to affiliates and pairs it with a data-wiping feature that raises the pressure to pay fast. According to Ransomware.live data cited by Arctic Wolf, the group has claimed 91 victims to date, with more than half in the United States, followed by the U.K., Australia, France, and Canada. Targeted sectors skew toward healthcare, business services, manufacturing, technology, and financial services. You can follow the group on the Ransomnews threat-group catalogue.
What is Citrix Bleed 2?
Citrix Bleed 2 is CVE-2025-5777, a critical flaw (CVSS 9.3) in Citrix NetScaler ADC and Gateway that lets an attacker bypass authentication when the appliance is configured as a Gateway or AAA virtual server. It echoes the original Citrix Bleed that fuelled a wave of 2023 ransomware intrusions. In the Anubis campaign, exploitation of CVE-2025-5777 sits alongside the use of valid VPN credentials, including Cisco AnyConnect logins seen coming from hosting providers. The source of those credentials is not confirmed, but Arctic Wolf notes they were likely bought from initial access brokers or harvested by infostealers. Exposed edge devices remain the single most reliable ransomware entry point, a pattern we documented in the FortiBleed investigation.
How does the attack chain work?
After gaining access through Citrix Bleed 2 or valid VPN logins, affiliates authenticate over RDP and SMB, then use PsExec service creation to move laterally. They deploy legitimate remote-management and monitoring tools for persistent access, ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment, so their activity resembles routine administration. Some intrusions configure a Cloudflare Tunnel (cloudflared) to reach into the environment over HTTPS. Data is exfiltrated with S3 Browser, rclone, s5cmd, WinSCP, and PuTTY before the encryptor runs.
Why is the wiper the real threat?
Anubis carries a destructive option that changes the calculus for victims. When its /WIPEMODE module runs, files stay in their directories but are reduced to 0 KB regardless of any ransom payment. As Rubrik put it, knowing operators can revert an environment to that scorched-earth state with a single command significantly increases pressure to pay before the wiper fully activates. This is the same trend Ransomnews has tracked toward extortion where recovery is off the table: if paying cannot reliably restore the data, the threat is really about leverage and destruction, not decryption.
What should defenders do now?
Patch NetScaler against CVE-2025-5777 immediately and treat any Citrix Gateway as a priority asset, because it is the front door here. Beyond the patch, the defensive job is spotting legitimate tools used illegitimately: alert on unexpected RMM installs (ScreenConnect, Zoho Assist, MeshAgent), on cloudflared appearing in server environments, and on cloud-transfer utilities like rclone and s5cmd running where they have no business. Rotate VPN credentials and assume any that appear in stealer logs are compromised. Because Anubis can wipe as well as encrypt, offline, immutable backups are the control that matters most: they are the only thing that survives a /WIPEMODE command.
Frequently asked questions
What is Citrix Bleed 2?
Citrix Bleed 2 is CVE-2025-5777, a critical authentication-bypass flaw in Citrix NetScaler ADC and Gateway. Attackers use it to bypass login when the appliance runs as a Gateway or AAA virtual server.
Who is behind the Anubis ransomware?
Anubis is a ransomware-as-a-service group that emerged in late 2024 as a rebrand of Sphinx and was announced on the RAMP forum in February 2025. It offers affiliates an 80% profit split.
What makes Anubis different from other ransomware?
Anubis includes a /WIPEMODE feature that reduces files to 0 KB regardless of payment. That destructive capability is designed to pressure victims into paying before the wiper fully runs.
How do Anubis affiliates avoid detection?
They rely on legitimate remote-management tools such as ScreenConnect, Zoho Assist, and MeshAgent, plus RDP, PsExec, and Cloudflare tunnels, so their activity blends in with normal IT administration.
How do I protect against this campaign?
Patch NetScaler against CVE-2025-5777, rotate VPN credentials, alert on unexpected RMM and cloud-transfer tools, and keep offline immutable backups that survive the wiper.
Sources and further reading
- Arctic Wolf: CitrixBleed 2 to cloudflared, the tools behind Anubis attacks
- The Hacker News: Ransomware groups turn to Citrix Bleed 2, BYOVD, and supply chain credentials
- Rubrik Zero Labs: Anubis ransomware and the /WIPEMODE wiper
- Ransomnews: FortiBleed: 75,000 cracked Fortinet firewalls
- Ransomnews: Initial Access Brokers 2026
