Mjolnir Security's MTAC threat intelligence sensors and darknet monitoring infrastructure have identified 3,636 events across threat feed indicators and darknet netflow analysis confirming active Anubis ransomware infrastructure. Originally codenamed "Sphinx," Anubis has evolved into one of the most dangerous RaaS operations of 2026 by weaponizing Cloudflare Quick Tunnels for C2, MeshCentral for persistence, and DNS exfiltration via the operator handle "supersonic" on the RAMP and XSS underground forums.
Overview & Origins
The Anubis ransomware-as-a-service (RaaS) operation emerged in December 2024 under the codename "Sphinx" before being rebranded as Anubis in late 2024. MTAC sensors detected DNS lookups to legacy domains billing2.sphinx.ltd and email.sphinx.ltd, indicating the original infrastructure has not been fully decommissioned and continues to operate in parallel with the Anubis-branded systems — providing operational redundancy.
Anubis represents a new class of threat that combines traditional file encryption with destructive wiper capabilities. Unlike conventional ransomware that solely encrypts data for extortion, Anubis operators can deploy a /WIPEMODE flag that irrevocably destroys data — transforming what begins as a financial crime into a potentially destructive attack against critical infrastructure.
Anubis operates in two modes: encryption (ECIES, .anubis extension) for standard ransomware extortion, and /WIPEMODE for irrecoverable data destruction. Nearly 60 organizations have been compromised as of early 2026.
Operational Profile
- Victims: Nearly 60 organizations compromised as of early 2026
- Targeting: Healthcare, construction, and hospitality sectors across the United States, Canada, Australia, and Peru
- Encryption: ECIES (Elliptic Curve Integrated Encryption Scheme) — files renamed with
.anubisextension - Dual capability: Encryption mode (standard ransomware) and
/WIPEMODE(destructive wiper) - Operators: "supersonic" on RAMP forum, "Anubis__media" on XSS — Russian-speaking
- Model: RaaS — affiliates handle initial compromise; operators provide malware, leak site, and negotiation
Mobile Malware Component
MTAC sensors detected 3zer0.com tagged as "android anubis (malware)" across 66 events, indicating Anubis operators maintain a mobile malware component — likely used for credential harvesting and MFA bypass during initial access operations.
Cloudflare Tunnel Weaponization
The largest category of events detected by MTAC sensors — 427 events — involves the abuse of Cloudflare's tunnel infrastructure. This represents the most significant operational security technique employed by Anubis, transforming legitimate, encrypted cloud infrastructure into an impenetrable C2 channel.
How Cloudflare Tunnels Are Weaponized
- No inbound ports needed: The tunnel initiates from inside the network, bypassing all perimeter firewalls
- Encrypted by default: All traffic is TLS-encrypted and appears as legitimate Cloudflare traffic
- Free Quick Tunnels:
trycloudflare.comsubdomains require no account — fully disposable - Legitimate binary:
cloudflared.exeis signed by Cloudflare and passes most allowlisting controls - SMB tunneling: Attackers tunnel SMB (port 445) through the encrypted channel for mass data exfiltration
MTAC sensors detected active HTTP traffic to advisory-might-pop-posters.trycloudflare.com — a Cloudflare Quick Tunnel hosting a WordPress-based C2 panel. Endpoints observed include /wp-admin/item.php, /wp-admin/product.php, /wp-admin/index.php, /login.php, and /wpautoedit.php.
Active C2 Endpoints
| Endpoint | Assessment |
|---|---|
advisory-might-pop-posters.trycloudflare.com/wp-admin/item.php | C2 panel — payload staging |
advisory-might-pop-posters.trycloudflare.com/wp-admin/index.php | C2 panel — main dashboard |
advisory-might-pop-posters.trycloudflare.com/wp-admin/product.php | C2 panel — victim management |
advisory-might-pop-posters.trycloudflare.com/login.php | Operator authentication portal |
advisory-might-pop-posters.trycloudflare.com/wpautoedit.php | Automated C2 command handler |
Fake Cloudflare Verification Domains
MTAC sensors detected domains impersonating Cloudflare's verification infrastructure using the cloudflare-verify pattern to socially engineer victims into completing fake security checks:
bearsloveeggropryuqr.cloudflare-verify.ud-rap-prod-test-001.xyz65boutiquuqr.cloudflare-verify.ud-rap-prod-test-00ae-verify.ud-rap-prod-test-001.xyz
Executable Renaming Evasion
Operators routinely rename cloudflared.exe to blend with legitimate system processes: svchost.exe, WGUpdater.exe, AdobeUpdater.exe, MicrosoftUpdate.exe. Once renamed and installed as a Windows service, the tunnel operates indefinitely with SYSTEM-level privileges, surviving reboots.
Other Ransomware Groups Using Cloudflared
| Group | Cloudflare Tunnel Usage |
|---|---|
| BlackSuit / Royal | Cloudflared for C2 and exfiltration; predecessor group Royal pioneered the technique |
| Akira | Cloudflared tunnels for persistent access post-compromise |
| Scattered Spider | Cloudflared deployed alongside RMM tools for lateral movement |
| Medusa | Tunnel-based exfiltration to bypass DLP controls |
MeshCentral: The Open-Source Weapon
MTAC sensors detected 44 events associated with MeshCentral and MeshAgent activity. MeshCentral is a full-featured, open-source remote device management platform — and its legitimacy makes it one of the most dangerous tools in the ransomware operator's arsenal. Industry data indicates that 30% of MDR incidents in 2024–25 involved the abuse of legitimate RMM tools.
Why Ransomware Groups Choose MeshCentral
- Full source code availability: Operators can customize the agent to evade detection signatures
- Complete remote access: File transfer, terminal access, screen sharing, and remote desktop
- Agent-based persistence: MeshAgent installs as a service and survives reboots
- Command execution:
win-consoleandwin-dispatcherprovide full command-line access - Self-hosted: Operators run their own MeshCentral server — no third-party logs
MTAC sensors detected MeshAgent traffic to 8ac4f1d2dd89fb42.mesh.mongodb.newccheck-075fe2dc-b.grubwhatsappvrll.duckdns.org — using DuckDNS dynamic DNS to obscure the real C2 server location. The hexadecimal prefix is a MeshAgent device identifier. Operators can relocate their C2 server instantly without updating agent configurations.
MeshCentral IOCs
| Indicator | Type | Context |
|---|---|---|
8ac4f1d2dd89fb42.mesh.mongodb.newccheck-075fe2dc-b.grubwhatsappvrll.duckdns.org | DNS | MeshAgent C2 via DuckDNS |
*.mesh.gcp.*.mongodb-dev.net | DNS Pattern | MeshCentral on Google Cloud Platform |
updateapps.online | Domain | MeshAgent distribution server |
109.123.237.16:443 | IP:Port | MeshAgent C2 endpoint |
50.255.118.246:443 | IP:Port | MeshAgent C2 endpoint |
The "supersonic" Connection
MTAC sensors detected 12 events linking directly to infrastructure controlled by the Anubis operator known as "supersonic" on the RAMP underground forum. This provides a direct technical link between sensor-detected infrastructure and a known ransomware operator persona.
DGA-Like Subdomain Infrastructure
| Domain | Assessment |
|---|---|
ae41tzomiucr2uskzy9l79ot0x.delta.supersonic.ai | Production deployment stage — detected February 13, 2026 |
a894oigghvivjgzmke1livlayr.alpha.supersonic.ai | Development/testing stage — detected January 28, 2026 |
The .alpha subdomain indicates development/testing; .delta indicates production deployment. The 25+ character random prefixes exhibit characteristics of DGA output or, more likely, encoded data being exfiltrated via DNS queries. Each DNS query can exfiltrate approximately 200 bytes of encoded data — bypassing virtually all data loss prevention controls.
"Supersonic" is the documented forum handle of Anubis operators on RAMP. The operator also maintains a presence on XSS as "Anubis__media." Posts are written in Russian and advertise Anubis RaaS capabilities to potential affiliates.
Attack Chain Reconstructed
Phase 1: Initial Access
Victims are compromised through phishing campaigns using COVID-themed lures, fake Adobe/Flash updates, and fake Cloudflare verification pages. The 3zer0.com mobile malware component may intercept MFA tokens.
Phase 2: Persistence via MeshCentral
Operators deploy a customized MeshAgent that installs as a system service, connecting back to operator-controlled MeshCentral servers hosted on GCP or behind DuckDNS dynamic domains. The win-console and win-dispatcher modules provide command-line access for reconnaissance and lateral movement.
Phase 3: C2 & Exfiltration via Cloudflare Tunnels
Operators establish Cloudflare Quick Tunnels using disposable trycloudflare.com subdomains. The WordPress-based C2 panel manages the operation. SMB (port 445) is tunneled through the encrypted Cloudflare connection for mass file exfiltration — invisible to network-level detection.
Phase 4: DNS Exfiltration via supersonic.ai
High-value data such as encryption keys, credentials, and configuration files are exfiltrated via DNS queries to DGA-generated subdomains under supersonic.ai. This backup exfiltration channel operates independently and is virtually undetectable without specialized DNS monitoring.
Phase 5: Ransomware Deployment
With data exfiltrated and the threat of a leak established, operators deploy the Anubis encryptor. Files are encrypted using ECIES and renamed with the .anubis extension. In cases where maximum damage is desired, the /WIPEMODE flag is activated — rendering all data irrecoverable.
Darknet Netflow Analysis
MTAC's darknet monitoring infrastructure recorded 3,031 network flow sessions over 13 months (April 2025 — April 2026) involving Anubis-associated infrastructure. After filtering relay infrastructure, 1,190 sessions reveal direct communication with identifiable threat infrastructure.
Key Findings
- Email exfiltration: 482 sessions on port 993 (IMAPS) to
92.243.7.212(Gandi SAS, France) — sustained intelligence collection or victim negotiation infrastructure - Cloudflare-fronted C2: 100 sessions across Cloudflare IPs (
104.21.81.221,172.67.170.97,104.21.28.56) confirming Quick Tunnel behavior - GCP traffic: 16 sessions to
35.220.178.96(Google Cloud) — consistent with GCP-hosted MeshCentral instances - DNS dominance: Port 53 (DNS) accounted for 1,318 sessions (43%) — far exceeding legitimate resolution, confirming DNS exfiltration
Infrastructure IP Addresses
| IP Address | Provider | Sessions | Assessment |
|---|---|---|---|
92.243.7.212 | Gandi SAS (France) | 482 | Email exfiltration server (IMAPS) |
71.42.236.91 | Charter Communications (US) | 140 | Probed residential host (HTTP) |
92.205.52.93 | Host Europe (Germany) | 79 | Possible staging server |
185.50.44.147 | Grupo Loading (Spain) | 33 | Possible C2 |
35.220.178.96 | Google Cloud | 16 | GCP-hosted MeshCentral |
65.181.111.135 | WHG Hosting (US) | 22 | Possible C2 |
Indicators of Compromise
advisory-might-pop-posters.trycloudflare.com— Active Cloudflare Quick Tunnel C2ae41tzomiucr2uskzy9l79ot0x.delta.supersonic.ai— Operator "supersonic" delta-stage C2a894oigghvivjgzmke1livlayr.alpha.supersonic.ai— Operator "supersonic" alpha-stage C28ac4f1d2dd89fb42.mesh.mongodb.newccheck-075fe2dc-b.grubwhatsappvrll.duckdns.org— MeshAgent C2 via DuckDNSupdateapps.online— MeshAgent distribution server109.123.237.16:443— MeshAgent C2 endpoint50.255.118.246:443— MeshAgent C2 endpoint
3zer0.com— Android Anubis mobile malwareanubis.techaro.lol— Anubis group staging/registrationbilling2.sphinx.ltd— Legacy Sphinx billing infrastructureemail.sphinx.ltd— Legacy Sphinx email infrastructurekovintros.top— Anubis-associated malware distributiontomcat.best— Suspicious infrastructure
bearsloveeggropryuqr.cloudflare-verify.ud-rap-prod-test-001.xyz— Fake Cloudflare verification65boutiquuqr.cloudflare-verify.ud-rap-prod-test-00ae-verify.ud-rap-prod-test-001.xyz— Nested fake verificationcoronaviruscovid19-information.com— COVID-themed phishing lureadobefbplayer.xyz— Fake Adobe update — malware deliverymyflashplayer.xyz— Fake Flash update — malware delivery
92.243.7.212— Gandi SAS (France) — 482 IMAPS sessions71.42.236.91— Charter Communications (US) — 140 HTTP sessions92.205.52.93— Host Europe (Germany) — 79 sessions185.50.44.147— Grupo Loading (Spain) — 33 sessions35.220.178.96— Google Cloud — 16 sessions65.181.111.135— WHG Hosting (US) — 22 sessions
MITRE ATT&CK Mapping
| Technique | Name | Context |
|---|---|---|
| T1572 | Protocol Tunneling | Cloudflare Quick Tunnels for C2 and exfiltration via encrypted QUIC/HTTP2 |
| T1219 | Remote Access Software | MeshCentral/MeshAgent for persistent remote access and lateral movement |
| T1048 | Exfiltration Over Alternative Protocol | DNS exfiltration via supersonic.ai DGA subdomains; SMB tunneled through Cloudflare |
| T1090 | Proxy | Cloudflare tunnel as proxy layer obscuring true C2 server location |
| T1486 | Data Encrypted for Impact | ECIES encryption with .anubis file extension |
| T1561 | Disk Wipe | /WIPEMODE flag for destructive data destruction |
| T1036.005 | Masquerading: Match Legitimate Name | cloudflared.exe renamed to svchost.exe, AdobeUpdater.exe, WGUpdater.exe |
| T1071.001 | Application Layer Protocol: Web | WordPress-based C2 panel disguised as legitimate CMS |
| T1568.002 | Dynamic Resolution: Domain Generation | DGA-like subdomain generation under supersonic.ai |
| T1133 | External Remote Services | MeshCentral providing unauthorized remote access |
Detection & Recommendations
Cloudflare Tunnel Detection
- Block
trycloudflare.com: Quick Tunnels are free and disposable — there is rarely a legitimate business need for them - Detect
cloudflaredprocess execution: Use hash-based detection, certificate verification, and behavioral analysis of outbound QUIC connections to Cloudflare edge IPs regardless of filename - Monitor service installations: Alert on new Windows services establishing persistent outbound connections to Cloudflare IP ranges (104.16.0.0/12, 172.64.0.0/13)
- Inspect
cloudflare-verifydomains: Any domain containing "cloudflare-verify" that does not resolve to Cloudflare's actual IP ranges is malicious
MeshCentral / RMM Detection
- Inventory authorized RMM tools: Maintain a strict allowlist; any MeshAgent installation not on the approved list should trigger immediate investigation
- Monitor for MeshAgent indicators: Watch for
meshagentprocess names, connections to*.mesh.*domains, andduckdns.orgDNS resolutions - Block unauthorized DuckDNS: Unless specifically required, block all
*.duckdns.orgresolution — it is overwhelmingly used for malicious C2 - Patch CVE-2025-30406: Gladinet CentreStack exploitation leads directly to MeshCentral deployment
DNS Monitoring
- Monitor for
supersonic.airesolution: Any DNS query to*.supersonic.aiwith long, random-looking subdomains should be treated as a confirmed compromise indicator - Detect DNS exfiltration: Implement DNS query length monitoring — queries with subdomain labels exceeding 20 characters are statistically anomalous
- Log all DNS queries: Passive DNS logging is the single most effective detection mechanism for the techniques documented in this report
Network Segmentation
- Segment critical data: Ensure ransomware cannot reach backup systems, domain controllers, or file servers from standard user networks
- Block outbound SMB: Block SMB (port 445) from traversing network boundaries — primary protocol used for tunnel-based exfiltration
- Implement zero-trust: Require continuous authentication and authorization for all resource access
How Mjolnir Security Can Help
MTAC Threat Intelligence & Response
Mjolnir Security's MTAC division operates proprietary threat intelligence sensors and darknet monitoring infrastructure that detected every indicator documented in this report.
- 24/7 Sensor CoverageDetecting ransomware infrastructure, C2 channels, and data exfiltration in real time
- Underground Forum MonitoringDeep monitoring of RAMP, XSS, and other forums for threat actor activity and operational planning
- Rapid Incident ResponseDeployment capabilities to contain and remediate active ransomware intrusions
Contact: sales@mjolnirsecurity.com | +1 (833) 403-5875 | mjolnirsecurity.com
Stay ahead of emerging threats. Get notified when we publish new intelligence reports.
Subscribe to Alerts