icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

FIN7 Deploys Anubis Backdoor to Hijack Windows Systems via Compromised SharePoint Sites

Summary:
The financially motivated cybercrime group FIN7—also known as Carbon Spider, Sangria Tempest, ELBRUS, Gold Niagara, and Savage Ladybug, has been linked to a sophisticated Python-based backdoor called Anubis. This malware is designed to provide remote access and control over compromised Windows systems. According to Swiss cybersecurity firm PRODAFT, Anubis allows threat actors to execute remote shell commands, manipulate system settings, upload and download files, modify environment variables, and even alter the Windows Registry. Communications with its command-and-control server are established through Base64-encoded data sent over a TCP socket, enabling encrypted command execution while minimizing detection. Anubis is typically distributed via malspam campaigns, often luring victims into downloading ZIP archives from compromised SharePoint sites. These archives contain a Python script that decrypts and loads the main payload directly into memory, bypassing traditional file-based detection mechanisms. Once active, the backdoor uses PythonMemoryModule to load DLL files directly into memory and supports self-termination to evade forensic analysis.

An independent analysis by German cybersecurity firm GDATA revealed that the malware also supports the execution of operator-supplied shell commands, which can be used to perform actions such as keylogging, capturing screenshots, and stealing credentials—all without storing tools locally on the system. This modular, memory-resident approach allows FIN7 to maintain a low footprint while retaining flexibility for post-compromise activity.

Security Officer Comments:
FIN7 has a history of developing and using a wide array of malware families for initial access, data theft, and financial gain. More recently, the group has been observed transitioning into ransomware operations. In July 2024, they were spotted promoting a tool called AuKill under various online aliases. This tool is designed to terminate endpoint security solutions, likely to facilitate ransomware deployment or other malicious operations. The adoption of such tools highlights FIN7’s evolving monetization strategies and its continued adaptation to evade defenses and maximize profits.

Suggested Corrections:
To mitigate the risk, organizations should deploy advanced endpoint detection, monitor network traffic, secure SharePoint instances, and enforce strict email security policies.


Link(s):
https://thehackernews.com/2025/04/fin7-deploys-anubis-backdoor-to-hijack.html

https://catalyst.prodaft.com/public/report/anubis-backdoor/overview

Contact Us for Threat Assistance
Back to Current Threats