The new Anubis ransomware group has emerged as a significant threat to Microsoft environments, specifically targeting Windows-based infrastructure, backup servers, and enterprise cloud storage.
Breakdown
Cybercriminals increasingly focus on Microsoft’s infrastructure and Windows environments, leveraging trusted services, built-in tools, and sophisticated social engineering techniques to infiltrate corporate networks. The rise of cloud-based attacks, fileless malware, and credential theft demonstrates a shift in tactics bypass traditional security measures while exploiting Microsoft's widespread enterprise adoption. Threat actors are no longer just deploying standalone malware; they are integrating multiple attack vectors, including abusing Microsoft’s Graph API, Dev Tunnels, and trusted Windows utilities, to blend malicious activity with legitimate operations. This shift in tactics allows cybercriminals to exploit Microsoft’s built-in trust mechanisms, using legitimate authentication tokens, system update services, and cloud APIs to evade security tools and maintain long-term persistence within enterprise networks. These evolving strategies make detection challenging, as security tools often struggle to distinguish between genuine Microsoft traffic and cleverly disguised threats.
Microsoft Cloud Ecosystem
One recent threat identified is the abuse of Microsoft’s cloud ecosystem for command-and-control (C2) communications in a ClickFix phishing campaign. The ClickFix phishing campaign is an example of how attackers manipulate Microsoft services to deploy malware. Attackers exploit Microsoft’s own infrastructure to control infected devices remotely while avoiding detection. It begins with a phishing email that tricks users into executing a malicious PowerShell script embedded in a fake OneDrive error message. This script retrieves a payload from a SharePoint-hosted file, using Microsoft’s cloud services as a launchpad for malware execution.What makes this campaign particularly dangerous is its ability to blend malicious activity into normal enterprise traffic, as security tools generally trust traffic moving through Microsoft’s APIs. Once inside a compromised network, the Havoc framework is deployed, which is a powerful post-exploitation toolkit similar to Cobalt Strike. This allows attackers to execute commands, steal data, and escalate privileges, all while using Microsoft’s Graph API to communicate back to their servers. Another campaign using this technique involves Njrat, where attackers leverage Microsoft Dev Tunnels, a legitimate tool for exposing local development services over the internet, to deploy malware. Cybercriminals are hijacking this service to create hidden backdoors that allow continuous remote access, even after an initial infection is contained. The abuse of Microsoft’s built-in tools for malware communication significantly reduces visibility for security teams, making these attacks far more persistent than traditional malware campaigns.
Fileless Techniques
Another growing concern is the use of fileless techniques to bypass endpoint security. Traditionally, malware relies on executable files that antivirus programs scan for malicious signatures. However, attackers are now weaponizing built-in Windows services like Background Intelligent Transfer Service (BITS) to silently download and execute payloads without leaving traces on disk. BITS, a legitimate Microsoft service used for background updates and system patches, allows attackers to download malicious scripts while disguising them as legitimate system activity. Once malware is retrieved via BITS, it is executed in memory rather than being written to disk, allowing it to bypass antivirus tools that rely on file-based detection. In some cases, attackers configure BITS to automatically re-download malware, ensuring that even if an organization removes the infection, it reinstalls itself upon reboot. Security researchers have observed attackers using LOLBAS (Living Off The Land Binaries And Scripts), including tools like bitsadmin[.]exe and ForFiles[.]exe, to execute commands and maintain persistence. These tactics are particularly effective for long-term espionage, where attackers need to remain undetected for months while exfiltrating data or preparing for more extensive intrusions.
Pass-the-Cookie
Threat actors are increasingly exploiting Microsoft’s authentication ecosystem by leveraging the new Pass-the-Cookie attacks to hijack user sessions and bypass multi-factor authentication (MFA). Microsoft’s ESTSAUTH cookies, which are used for Office 365 authentication, have become a primary target for cybercriminals looking to gain unauthorized access to corporate accounts. When users log into Microsoft cloud services like Office 365 and Azure AD, their browsers generate a session cookie that verifies authentication, allowing them to stay logged in without repeatedly entering credentials. Instead of stealing passwords, attackers extract these authentication tokens from infected devices and inject them into their own browsers. Because Microsoft treats session cookies as legitimate login credentials, attackers can instantly access corporate resources without needing an MFA challenge. Infostealer malware, including LummaC2, Redline, and Racoon, actively harvest these cookies, particularly those associated with Microsoft services, enabling adversaries to maintain persistent access even after a password reset unless the session token is explicitly revoked. This makes detection extremely difficult, as the attack mimics normal user behavior, making it indistinguishable from legitimate logins.
Anubis Ransomware Group
The new Anubis ransomware group has emerged as a significant threat to Microsoft environments, specifically targeting Windows-based infrastructure, backup servers, and enterprise cloud storage. Unlike traditional ransomware, Anubis incorporates multi-platform encryption, meaning it can lock files across Windows, Linux, NAS devices, and ESXi hypervisors, ensuring maximum disruption. This is particularly devastating for enterprises that rely on Microsoft-based infrastructure, as the ransomware spreads rapidly through Windows Active Directory environments, encrypting entire domains before victims even realize an attack is underway. The ChaCha+ECIES encryption algorithm used by Anubis ensures that decryption is nearly impossible without the attacker’s private key. What makes Anubis particularly dangerous is its privilege escalation techniques, where it elevates itself to NT AUTHORITY\SYSTEM, giving it unrestricted access to critical Windows system files. Researchers have observed the abuse of Windows administrative tools, including Windows Task Scheduler and Group Policy Objects (GPOs), to push ransomware across all connected systems, turning Microsoft’s management infrastructure into a tool for rapid encryption. This makes containment incredibly difficult, as a single compromised Windows endpoint can trigger a cascading attack across the entire organization. The increasing focus on Microsoft-based environments by ransomware groups highlights how adversaries understand the value of data stored within Windows infrastructure and cloud services and are tailoring their attacks accordingly.
Comprehensive Analysis
The common thread across these threats is the exploitation of Microsoft and Windows ecosystems, whether through abusing legitimate services (Graph API, Dev Tunnels, BITS), leveraging built-in Windows tools (PowerShell, LOLBAS, Quick Assist), or targeting authentication weaknesses (Pass-the-Cookie, MFA bypasses). These techniques highlight a shift from traditional malware deployment toward more stealthy, persistent, and cloud-based attack strategies. Rather than relying on easily detectable malware executables, attackers are embedding malicious activity within the systems enterprises trust, whether by abusing Microsoft’s cloud APIs for covert communication, executing fileless malware within Windows processes, or hijacking authentication tokens to bypass security controls. This shift allows adversaries to blend seamlessly into legitimate enterprise workflows, evading detection for extended periods. The increasing reliance on Windows-integrated cloud solutions, remote work environments, and automated system updates has created new blind spots that traditional security measures fail to address. The rise in Windows and Microsoft-based attacks is not just a reflection of new malware; it signifies a fundamental evolution in cybercrime strategies, where attackers no longer need to break through firewalls if they can exploit the infrastructure already inside the network. This trend underscores the urgency for organizations to rethink how they secure Microsoft environments, as the tools designed for productivity and security are now being repurposed as powerful weapons against them.
Threat Actor Breakdown
Anubis Ransomware Group
| Emergence Date | Active since late 2024 |
| Attribution | Russian-speaking cybercriminals, possibly former affiliates of other ransomware groups. |
| Associated Malware | Anubis ransomware (ChaCha+ECIES encryption), data extortion tools. |
| Targets | Healthcare, Engineering, and Critical Infrastructure Sectors in Australia, Canada, Peru, and the U.S. |
| Common Tactics | Double extortion, ransomware-as-a-service (RaaS), access monetization, and investigative pressure campaigns. |
| Recent Activities | In February 2025, Anubis leaked stolen data from multiple organizations, including a U.S.-based engineering firm, after failed ransom negotiations.[12] |
Hunter Insights
These trends indicate threat actors have developed a sophisticated understanding of enterprise architecture and security tool limitations. We assess with high confidence that attackers will continue refining these techniques, further blurring the line between legitimate enterprise operations and malicious activity. The exploitation of Microsoft's ecosystem as an attack vector rather than a target represents a significant evolution in the threat landscape that requires corresponding evolution in security approaches and architectures.
Hunter Strategy will continue to monitor reporting and provide updates as new details emerge. We also encourage our readers to look for updates in our daily CTI Trending Topics and on Twitter.
