Back to Blog

Anubis Ransomware: Why Legitimate File-Transfer Tools Become Exfiltration Paths

Share
X
Abstract illustration of governed data pathways and controlled flow

When ransomware affiliates install S3 Browser, rclone, and ScreenConnect on a production host, legitimate administration and cloud-transfer tools become the channel that pulls regulated files out before the encryptor runs.

In early July 2026, reporting from The Hacker News summarized Arctic Wolf Labs research on Anubis ransomware affiliate tradecraft. Across multiple 2026 intrusions, investigators observed a consistent pattern: VPN or CitrixBleed 2 access, lateral movement with RDP and PsExec, deployment of legitimate remote monitoring and management (RMM) products, then installation of mainstream cloud-transfer utilities for exfiltration ahead of encryption. The tooling looks ordinary in isolation. As a chain, it is a governed file-movement problem.

What happened

Arctic Wolf’s investigation, From CitrixBleed 2 to Cloudflared: The Tools and Techniques Behind Anubis Ransomware Attacks, documents affiliate-level behavior rather than a single uniform operator. Anubis operates as ransomware-as-a-service (RaaS). The brand emerged from the earlier Sphinx operation and was announced on the RAMP forum in February 2025. Since early 2026, Arctic Wolf has investigated Anubis intrusions involving both valid VPN credential use and exploitation of CitrixBleed 2 (CVE-2025-5777).

After malicious VPN authentication, operators proceeded through RDP and SMB logins, credential access, PsExec service creation, and RMM deployment. RMM products observed across intrusions included ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, Total Software Deployment, and mRemoteNG. Those tools provide interactive access, file transfer, remote execution, and persistence while resembling software many IT teams already run.

The exfiltration phase is the piece most relevant to regulated data movement. Arctic Wolf reports deployment of tooling commonly used for bulk cloud transfer: S3 Browser, rclone, s5cmd, WinSCP, and PuTTY. In one intrusion, S3 Browser components appeared alongside ScreenConnect activity and Anubis encryptor staging under the same user profile. rclone and s5cmd artifacts appeared in other cases next to RMM deployment and defensive-tool tampering. Those utilities are efficient, scriptable, and compatible with multiple storage backends — attributes that make them attractive both to administrators and to affiliates preparing double-extortion campaigns.

Affiliates also tested alternate egress paths. cloudflared (Cloudflare Tunnel) appeared on Windows servers and Synology NAS devices. In one NAS intrusion, a compromised domain account was used to create a privileged local administrator, grant broad file-service rights (SMB, SFTP, FTP, File Station, rsync), stage files over SFTP, and attempt tunnel configuration under /usr/local/etc/cloudflared. When tunnel establishment failed TLS validation, the actor shifted to SSH-based dynamic forwarding through VPS infrastructure. Within a day of those egress attempts, Linux and Windows Anubis encryptors ran against storage volumes.

Why this matters

Security programs still classify “file transfer” as a product category — an MFT appliance, a portal, a share. Anubis tradecraft treats file movement as any binary that can push bytes to cloud storage or a remote host under a trusted process name. S3 Browser in Program Files, rclone next to a ScreenConnect agent, or s5cmd invoked after PsExec will not always trip the same controls as an unapproved malware implant.

For organizations in healthcare, manufacturing, defense supply chains, and financial services, the pre-encryption transfer is the chain-of-custody failure. Once regulated documents, design packages, clinical archives, or partner deliverables leave through an ungoverned path, the later encryptor is secondary damage. Extortion value already rests on the copy that left.

The RMM layer multiplies blast radius. A single technician-style session with file transfer authority can touch many endpoints while logging as routine support. Arctic Wolf notes that activity launched through trusted management products blends with normal administration. That is the same architectural lesson as earlier SimpleHelp and MSP-focused RMM campaigns: remote support is privileged data-movement infrastructure, even when the product was purchased for patching and helpdesk work.

IBM’s 2025 Cost of a Data Breach reporting has already flagged managed file transfer as a concentrated zero-day target and supply-chain risk. Anubis shows the inverse surface: when the dedicated MFT is hardened, affiliates route around it with commodity cloud clients that staff already trust.

The architectural issue underneath

Most environments have strong opinions about who may open a share, and weak opinions about which processes may stream terabytes to object storage. Identity is checked at the VPN. Endpoint tools are inventory-listed. The missing control is policy on the movement path itself: which principals, which destinations, which classifications of content, with which retention of evidence.

Legitimate tools become exfiltration infrastructure when three conditions hold at once:

  • The tool is widely allowed or silently tolerated (rclone, S3 Browser, WinSCP, commercial RMM).
  • Destination trust is coarse (any approved cloud, any SaaS storage, any outbound HTTPS tunnel).
  • Audit evidence is incomplete for the transfer event (who moved what, to where, under which policy, with what approval).

Anubis affiliates exploit exactly that gap. They do not need a custom C2 for bulk exfil if the environment already permits high-volume cloud clients and remote administration suites. The encryptor is the noisy finale. The quiet copy is the business risk.

What regulated organizations should do differently

Treat remote administration and bulk cloud-transfer clients as data-movement surfaces in the same tier as MFT and collaboration platforms.

  • Inventory RMM and remote access products — ScreenConnect, Zoho Assist, MeshAgent, UltraVNC, and similar tools should have known owners, known install bases, and known egress paths. Unapproved installs after VPN or RDP spikes deserve the same priority as malware alerts.
  • Constrain bulk cloud-transfer utilities — rclone, s5cmd, S3 Browser, and analogous clients should not be ambient software on every workstation and server. Where needed, bind them to approved identities, approved buckets, and monitored execution.
  • Watch for pre-encryption staging patterns — RMM install + cloud client + security product disablement in the same window is a data-exfiltration sequence, even before ransomware file extensions appear.
  • Govern NAS and file-service privilege — Arctic Wolf’s NAS case shows how broad SMB/SFTP/FTP/rsync rights plus tunnel clients create a self-contained exfil and encryption platform. Privileged local accounts on storage appliances need the same scrutiny as domain admins.
  • Require movement evidence — for regulated content, “the file left” should produce a durable record: principal, classification, destination, policy decision, and time. Generic process logging is rarely enough for partner, customer, or regulator review.

How Stellarbridge thinks about this class of risk

Stellarbridge is built for organizations that move sensitive files under policy — between people, partners, systems, and increasingly agents — with blast-radius control and audit evidence as first-class requirements. The Anubis pattern reinforces why movement authority cannot live only inside whichever tool an administrator happens to install.

A governed path means identity is bound to the transfer, destinations are constrained by policy, and the event produces evidence suitable for HIPAA, CMMC, SOC 2, and partner diligence — whether the content is a clinical package, an engineering release, or a regulatory submission. Secure file transfer built for regulated industries starts from that evidence requirement. When bulk cloud clients and RMM suites can move the same content without those controls, attackers will prefer the uncontrolled path. Defenders should prefer to remove that option. Agentic campaigns such as JADEPUFFER show the same structural gap at machine tempo.

Questions worth asking this week

  • Which RMM and remote-access products are authorized in our environment, and which installs would look “normal” to an on-call engineer at 2 a.m.?
  • Can any domain or local admin quietly install S3 Browser, rclone, or s5cmd on a file server without a ticket and without a security alert?
  • If regulated content left via object storage this month, could we produce a chain-of-custody record that survives legal and customer review?
  • Do our playbooks treat pre-encryption cloud-transfer activity as a data-breach sequence, or only as ransomware staging?
  • Are NAS appliances and their file-service privileges in the same threat model as domain controllers for exfiltration?

Closing thought

Anubis affiliates assemble access, RMM persistence, and commodity cloud-transfer clients into a pipeline that moves data first and encrypts second. The tools on that pipeline already have product marketing pages and IT use cases. Regulated organizations that only govern the systems labeled “secure file transfer” will keep missing the transfers that matter most.

If your partner, customer, or agent workflows still rely on ambient admin tools for sensitive packages, the control gap Anubis exploits is already open. Close it with policy-bound movement paths and evidence that holds up after the incident — encryption alerts alone leave the quiet copy unaddressed.

Sources