From CitrixBleed 2 to Cloudflared: The Tools and Techniques Behind Anubis Ransomware Attacks
Arctic Wolf Labs documents Anubis ransomware affiliate tradecraft observed across multiple 2026 intrusions, featuring CitrixBleed 2 (CVE-2025-5777) exploitation and valid VPN credential abuse for initial access. Affiliates consistently deploy legitimate RMM tools for persistence, use Mimikatz and ntds.dit extraction for credential access, establish alternate egress via cloudflared and SSH SOCKS tunnels, and employ exfiltration tools like S3 Browser and rclone before deploying encryptors on Windows and Linux systems. The attack chain relies on commodity tools and living-off-the-land techniques that resemble legitimate administration in isolation but form a distinctive kill chain when correlated.
- domainazuremicrosoft[.]usTyposquatted domain mimicking Microsoft Azure used to host malicious ScreenConnect installer download.
- domainrelay[.]promotds[.]usScreenConnect relay infrastructure used for persistent remote access to compromised victim systems.
- filenamemvtcs.exeMeshAgent RMM tool deployed under this filename for persistent remote access; accompanied by config files mvtcs.msh, mvtcs.db, mvtcs.log.
- filenameRESTOREFILES.htmlAnubis ransom note left on encrypted systems alongside files with .anubis extension.
- filenames3browser-13-1-1.exeS3 Browser installer used for cloud storage exfiltration; downloaded to user Downloads directory before installation.
- ip45[.]227[.]254[.]25Source IP observed in CitrixBleed 2 exploitation log on NetScaler appliance; originated from VPS hosting provider, differing from legitimate client IP.
- ip45[.]76[.]79[.]92C2 communication endpoint for Remotely Desktop RMM tool deployed on multiple Windows Server hosts during Anubis intrusions.
- urlhxxps://azuremicrosoft[.]us/Bin/ScreenConnect[.]ClientSetup[.]msiMalicious ScreenConnect MSI installer download URL hosted on typosquatted azuremicrosoft.us domain.
Detection / Hunteropenrouter
What Happened
A ransomware group called Anubis has been breaking into organizations since early 2026 using two main methods: stealing valid VPN login credentials and exploiting a serious security flaw in Citrix networking equipment called CitrixBleed 2. Once inside, the attackers install legitimate remote management tools (the same kind IT staff use every day) to maintain access while blending in with normal activity. They steal passwords using well-known hacking tools, copy sensitive login databases, and set up hidden tunnels to secretly send stolen data out of the network. Finally, they encrypt files across both Windows and Linux systems and demand a ransom. Organizations using Citrix NetScaler devices, remote desktop services, or network-attached storage are particularly at risk. The most urgent step is to patch the Citrix vulnerability immediately, audit for unauthorized remote management tools, and monitor for unusual administrative activity before encryption occurs.
Key Takeaways
- Anubis ransomware affiliates exploit CitrixBleed 2 (CVE-2025-5777) for pre-authentication session hijacking on Citrix NetScaler appliances, bypassing MFA via stolen session tokens.
- Multiple legitimate RMM tools (ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, Total Software Deployment) are abused for persistence and lateral movement to blend in with normal IT activity.
- Threat actors establish alternate egress paths using cloudflared (Cloudflare Tunnel), authenticated HTTP proxies, and SSH-based SOCKS tunneling, particularly targeting NAS devices.
- Credential access via Mimikatz, browser password exports, and ntds.dit extraction occurs shortly before encryption, with ntds.dit archiving observed less than an hour before ransomware deployment.
- Defense evasion includes Windows Defender disablement, SophosUninstall, PCHunter usage, log clearing across multiple Windows event sources, and encryptor self-deletion post-execution.
Affected Systems
- Citrix NetScaler ADC/Gateway appliances
- Microsoft Remote Desktop Services servers
- Windows domain controllers
- Hyper-V hypervisor servers
- Synology NAS devices (DiskStation Manager)
- Backup-adjacent systems
- Windows and Linux endpoints
Vulnerabilities (CVEs)
| CVE | Product | Severity | Description |
|---|---|---|---|
| CVE-2025-5777 | Citrix NetScaler ADC/Gateway | Critical (CVSS 9.3, CISA KEV) | Pre-authentication memory disclosure vulnerability that exposes session material from affected NetScaler appliances, enabling session hijacking and MFA bypass. |
Attack Chain
- Initial Access: Exploit CitrixBleed 2 (CVE-2025-5777) on NetScaler for session hijacking or use valid VPN credentials from hosting ASNs
- Lateral Movement: RDP from VPN client subnets to servers, DCs, hypervisors, and backup systems; PsExec for remote service creation
- Persistence: Deploy legitimate RMM tools (ScreenConnect, Zoho Assist, MeshAgent, Remotely) and create scheduled tasks for ongoing access
- Credential Access: Execute Mimikatz from staging directories, export browser passwords, copy and archive ntds.dit for offline extraction
- Command and Control: Establish alternate egress via cloudflared tunnels, authenticated HTTP proxies, and SSH-based SOCKS proxies on NAS and Windows servers
- Exfiltration and Impact: Deploy S3 Browser/rclone/s5cmd for data exfiltration, disable security tools, then execute Anubis encryptors on Windows and Linux systems
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Arctic Wolf Aurora MDR, Arctic Wolf public GitHub repository (referenced for IOCs and MITRE mapping)
Arctic Wolf references detections in their Aurora MDR platform and a public GitHub repository containing IOCs, network indicators, file indicators, and MITRE ATT&CK mappings. No rule bodies are reproduced in the article itself.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | RMM tool deployments, Mimikatz execution, PsExec service creation, and Defender disablement should generate EDR telemetry, but the use of legitimate RMM tools and native Windows binaries creates significant blending with normal administrative activity. |
| Network Visibility | Medium | VPN logins from hosting ASNs, RDP/SMB between VPN subnets and servers, and C2 to known malicious IPs/domains are network-detectable. However, cloudflared and SSH tunneling traffic may appear as legitimate outbound HTTPS/SSH, reducing visibility. |
| Detection Difficulty | Hard | Individual behaviors resemble legitimate IT administration. Detection requires correlating a sequence of events (suspicious remote access, RMM deployment, credential access, exfiltration tooling) across multiple log sources and time windows rather than matching single indicators. |
Required Log Sources
- Citrix NetScaler SSLVPN logs (TCPCONNSTAT events)
- VPN authentication logs with source ASN correlation
- Windows Event Log: Security (4624, 4625, 4688, 7045)
- Windows Event Log: System, PowerShell, Task Scheduler, AppLocker, Defender
- EDR process creation and file write telemetry
- Network flow logs for RDP, SMB, and outbound tunnel traffic
- DNS resolution logs for typosquatted domains
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for VPN authentication events originating from VPS hosting provider ASNs, particularly when followed by RDP or SMB activity to domain controllers or hypervisors within a short time window. | VPN authentication logs, firewall flow logs, Windows Security event 4624 | Initial Access / Lateral Movement | Medium — legitimate remote workers may occasionally connect from cloud-hosted VPNs or travel-related IPs. |
| Consider hunting for installation of multiple RMM tools (ScreenConnect, Zoho Assist, MeshAgent, Remotely) on the same host or across multiple hosts within a short timeframe, especially outside of approved software deployment windows. | EDR process creation, MSI installer events, Windows Service creation events | Persistence | Medium — IT teams may legitimately deploy RMM tools, but rapid multi-tool deployment is atypical. |
| Consider hunting for ntds.dit file access or copy operations outside of normal Active Directory maintenance, especially when followed by archive creation (e.g., .zip) on the same system. | EDR file access events, Windows ESE database logs, file system audit logs | Credential Access | Low — ntds.dit access outside of scheduled backup or maintenance windows is highly suspicious. |
| Consider hunting for cloudflared.exe execution on Windows servers or NAS devices, particularly when placed in system directories or accompanied by tunnel configuration file creation. | EDR process creation, file write events on system directories, network connection logs | Command and Control | Low — cloudflared is uncommon in enterprise environments outside of intentional Cloudflare Tunnel deployments. |
| Consider hunting for rapid sequential security tool disablement or uninstallation events (Defender disablement, SophosUninstall, PCHunter execution) across multiple hosts, combined with Windows event log clearing activity. | EDR tamper protection alerts, Windows Defender event logs, Windows Security event 4688, System event log | Defense Evasion | Low — coordinated security tool disablement across multiple hosts is rarely legitimate. |
Control Gaps
- Network-level blocking may not catch legitimate RMM tool traffic that uses standard HTTPS ports and legitimate relay infrastructure.
- Signature-based AV may miss Anubis encryptors using randomized filenames and staged in non-standard directories.
- Single-event alerting will miss the kill chain sequence; behavioral correlation across multiple log sources is required.
- SSH-based SOCKS tunneling and cloudflared traffic may blend with legitimate outbound HTTPS/SSH if not specifically monitored.
- MFA bypass via CitrixBleed 2 session token theft is not caught by authentication controls that validate tokens without binding to source IP.
Key Behavioral Indicators
- PSEXESVC.exe service creation correlated with RMM deployment and ransomware staging in same activity window
- Mimikatz execution from non-standard paths (C:\Users\Public, C:\x64) rather than typical tool directories
- Browser password export files (Chrome Passwords.csv, Microsoft Edge Passwords.csv) appearing on server systems
- ntds.dit copy to non-standard path followed by .zip archive creation on desktop within minutes
- cloudflared.exe binary in C:\Windows or /usr/local/etc/cloudflared on NAS devices
- Scheduled task named MeshUserTask for MeshAgent persistence
- Encrypted files with .anubis extension and ransom notes named RESTORE FILES.html
- RDP sessions from VPN client subnets to hypervisors, domain controllers, and backup infrastructure
- Multiple RMM tool installations on the same host within a short timeframe
False Positive Assessment
- Medium — Many individual behaviors (RMM tool installation, RDP to servers, PsExec usage) are legitimate IT activities. False positive risk is reduced when correlating multiple behaviors in sequence, but isolated indicators may generate noise in environments with active system administration.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. If you operate Citrix NetScaler ADC/Gateway appliances, patch CVE-2025-5777 immediately and terminate all active sessions post-patch per vendor instructions.
- Consider blocking the documented malicious infrastructure (azuremicrosoft.us, promotds.us, and associated IPs) at network perimeter controls if supported by your tooling.
- If applicable to your environment, consider auditing all endpoints and servers for unauthorized RMM tool installations (ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, Total Software Deployment) and investigate any unexpected findings.
- Consider reviewing VPN authentication logs for logins originating from VPS hosting provider ASNs (AS20473, AS55286) and validate whether these correspond to legitimate user activity.
Infrastructure Hardening
- Evaluate whether network segmentation can isolate hypervisor management planes, NAS devices, and backup infrastructure from general-purpose endpoints and VPN client subnets.
- Consider implementing application control policies to alert on or block execution from non-standard staging directories (C:\Apps, C:\PerfLogs, C:\Users\Public, user AppData paths).
- If your environment uses Citrix NetScaler, consider implementing source IP validation or geo-fencing for VPN sessions to detect session token reuse from unexpected locations.
- Consider monitoring for and restricting outbound SSH and cloudflared tunnel traffic from NAS devices and internal servers where such connections are not part of normal operations.
User Protection
- Consider enabling tamper protection on endpoint security agents and configure alerts for any attempts to disable or uninstall security tooling.
- Evaluate whether browser password export functionality can be restricted or monitored via group policy in your environment.
- Consider deploying EDR rules to detect Mimikatz execution from non-standard file paths commonly used for staging.
- If supported by your backup solution, consider ensuring backups are stored offline or in isolated segments with tested restoration procedures.
Security Awareness
- Consider incorporating guidance on RMM tool abuse into existing security awareness programs, emphasizing that attackers use legitimate IT tools to blend in.
- If your organization has an IT staff awareness program, consider highlighting the risk of unauthorized RMM tool installation and the importance of maintaining an approved software inventory.
- Consider reminding IT and security staff that credential access behaviors (Mimikatz, ntds.dit extraction, browser password exports) occurring outside of approved maintenance windows should be treated as high-priority alerts.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1078 - Valid Accounts
- T1021.001 - Remote Desktop Protocol
- T1021.002 - SMB/Windows Admin Shares
- T1569.002 - System Services: Service Execution
- T1219 - Remote Access Software
- T1003.001 - OS Credential Dumping: LSASS Memory
- T1003.003 - OS Credential Dumping: NTDS
- T1555 - Credentials from Password Stores
- T1567 - Exfiltration Over Web Service
- T1090 - Proxy
- T1021.004 - SSH
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1070.002 - Indicator Removal: Clear Windows Event Logs
- T1486 - Data Encrypted for Impact
Additional IOCs
- File Paths:
C:\Users\Public\Videos\mimikatz.exe- Mimikatz credential dumping tool staged in non-standard user directory.C:\Users\Public\mimikatz.exe- Alternate Mimikatz staging location on compromised Windows servers.C:\x64\mimikatz.exe- Alternate Mimikatz staging location observed across multiple intrusions.C:\audit\Active Directory\ntds.dit- Copy of Active Directory ntds.dit database created for offline credential extraction; archived as Active Directory.zip within minutes.C:\Windows\cloudflared.exe- Cloudflare Tunnel client binary placed in Windows directory for establishing outbound tunnels from compromised servers.C:\Users\Default\AppData\- Anubis encryptor staging directory; also contained S3 Browser components under same user profile.C:\Program Files\S3 Browser- S3 Browser installation directory used for cloud storage exfiltration.%SystemRoot%\TNIWINAGENT\- Total Software Deployment agent execution directory; tniwinagent.exe deployed for remote agent push across hosts./usr/local/etc/cloudflared- Cloudflare Tunnel configuration directory on Synology NAS devices used for establishing outbound tunnels.
- Command Lines:
- Purpose: Establish Cloudflare Tunnel from compromised NAS device for alternate outbound access | Tools:
cloudflared| Stage: Command and Control / Exfiltration |cloudflared tunnel create <tunnel_name> && cloudflared tunnel run - Purpose: Create local SOCKS proxy for routing outbound traffic through VPS infrastructure | Tools:
ssh| Stage: Command and Control |ssh -D 127.0.0.1:1080 - Purpose: Escalate to root shell on Synology NAS device for tunnel configuration | Tools:
sudo,su| Stage: Privilege Escalation |sudo su - Purpose: Launch cloudflared in background with HTTP/2 on NAS device | Tools:
cloudflared,nohup| Stage: Command and Control |nohup cloudflared tunnel run
- Purpose: Establish Cloudflare Tunnel from compromised NAS device for alternate outbound access | Tools:
- Other:
MeshUserTask- Scheduled task created for MeshAgent persistence on compromised Windows systems.Total Software Deployment Audit Service- Service created by Total Software Deployment tool for administrative deployment and agent push across hosts.PSEXESVC.exe- PsExec service binary observed during lateral movement alongside RMM deployment and ransomware staging.Ransom:Win64/Anubis.A- Microsoft Defender detection name for Anubis ransomware encryptor on Windows systems.