FIN7 Deploys Python-Based Anubis Backdoor for Stealthy Windows Attacks

The financially driven cybercrime group FIN7 has been linked to a Python-based backdoor named Anubis, which enables remote access to compromised Windows systems.

  Vulnerability Alerts   Apr 2, 2025  Add to Reading List
FIN7 Deploys Python-Based Anubis Backdoor for Stealthy Windows Attacks

The financially driven cybercrime group FIN7 has been linked to a Python-based backdoor named Anubis, which enables remote access to compromised Windows systems. Despite sharing a name with an Android banking trojan, this variant operates differently, providing attackers with full control over infected machines through remote shell execution and system manipulation, according to cybersecurity firm PRODAFT.

FIN7’s Evolving Tactics

Also known as Carbon Spider, ELBRUS, Gold Niagara, Sangria Tempest, and Savage Ladybug, FIN7 is a Russian threat group notorious for its adaptive malware arsenal. The group has shifted toward ransomware operations, leveraging new attack methods to expand its criminal activities.

In July 2024, FIN7 was observed advertising AuKill (AvNeutralizer)—a tool designed to disable security software, likely as part of an effort to diversify monetization strategies.

Anubis Infection Chain and Capabilities

The Anubis backdoor is primarily distributed via malspam campaigns, tricking victims into executing the malicious payload hosted on compromised SharePoint sites. The infection typically unfolds as follows:

  1. Delivery: The malware arrives as a ZIP archive containing an encrypted Python script.

  2. Execution: The script decrypts and runs the main payload directly in memory, avoiding detection.

  3. Communication: The backdoor establishes a TCP socket connection with a remote command-and-control (C2) server, exchanging Base64-encoded data.

  4. Functionality: Once active, Anubis can:

    • Gather host IP addresses

    • Upload/download files

    • Modify the Windows Registry

    • Execute shell commands

    • Load DLLs in memory via PythonMemoryModule

    • Terminate itself to evade detection

Stealth and Flexibility

Anubis is designed to operate discreetly, allowing attackers to execute additional malicious actions—such as keylogging, capturing screenshots, and stealing passwords—without embedding these capabilities directly within the malware. This modular approach makes it harder to detect while ensuring operational flexibility for the attackers.

Conclusion

The lightweight design of Anubis underscores FIN7’s strategic shift toward stealthier, more adaptable malware. As the group continues to evolve, organizations must stay vigilant against email-based threats and implement strong security measures to mitigate risks.