Anubis
Intelligence Profile
BleepingComputer found that Anubis will display fake phishing login forms when users open up apps for targeted platforms to steal credentials. This overlay screen will be shown over the real app's login screen to make victims think it's a legitimate login form when in reality, inputted credentials are sent to the attackers.
In the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:
Recording screen activity and sound from the microphone
Implementing a SOCKS5 proxy for covert communication and package delivery
Capturing screenshots
Sending mass SMS messages from the device to specified recipients
Retrieving contacts stored on the device
Sending, reading, deleting, and blocking notifications for SMS messages received by the device
Scanning the device for files of interest to exfiltrate
Locking the device screen and displaying a persistent ransom note
Submitting USSD code requests to query bank balances
Capturing GPS data and pedometer statistics
Implementing a keylogger to steal credentials
Monitoring active apps to mimic and perform overlay attacks
Stopping malicious functionality and removing the malware from the device
Threat Analysis
Anubis is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.
The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.
Classified as an advanced threat actor, Anubis likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.
Known Campaigns
Anubis is conducting an active ransomware campaign targeting organizations across 2 countries. Primary targets: Manufacturing, Technology. 2 confirmed victims recorded in the last 45 days. Campaign appears to have stalled.