A recent alert has highlighted the emergence of the AnubisBackdoor, a Python-based backdoor attributed to the Savage Ladybug group, which is reportedly linked to the notorious FIN7 cybercrime gang.
This malware is designed to provide remote access, execute commands, and facilitate data exfiltration, all while evading detection by most antivirus solutions.
— PRODAFT (@PRODAFT) March 11, 2025
New Malware Alert: Savage Ladybug (FIN7) has recently developed AnubisBackdoor, a simple yet effective Python-based backdoor with mild obfuscation, fully undetected (FUD) by most AV solutions. Threat actors are actively using it in malspam campaigns, enabling remote command… pic.twitter.com/1a4By49mbh
Technical Analysis
The AnubisBackdoor is part of a broader trend of sophisticated malware tools being developed and deployed by cybercrime groups.
.png
)
Unlike the Anubis malware, which is primarily known for targeting Android devices with banking trojan capabilities, the AnubisBackdoor is specifically tailored for remote command execution and system compromise on other platforms.
It features mild obfuscation techniques, making it fully undetected (FUD) by many security tools.
This level of stealth allows threat actors to use it effectively in malspam campaigns, further compromising systems and stealing sensitive data.
The Savage Ladybug group’s use of the AnubisBackdoor underscores the evolving tactics of cybercrime groups like FIN7, which have historically been known for their advanced evasion techniques and tool development.
FIN7, also known as Carbanak, has been active since at least 2013 and has employed a range of tools, including the Carbanak backdoor and the AvNeutralizer tool, which is designed to disable endpoint detection and response (EDR) solutions.
The development and deployment of the AnubisBackdoor suggest that these groups continue to innovate and adapt their strategies to evade detection and maximize the impact of their attacks.
Indicators of Compromise (IOCs)
According to the Report, To combat the AnubisBackdoor, security teams are advised to monitor for specific indicators of compromise (IOCs), including backend server IP addresses such as 38.134.148.20, 5.252.177.249, 212.224.107.203, and 195.133.67.35.
Additionally, file hashes like 03a160127cce3a96bfa602456046cc443816af7179d771e300fec80c5ab9f00f and 5203f2667ab71d154499906d24f27f94e3ebdca4bba7fe55fe490b336bad8919 should be flagged for potential malicious activity.
As the threat landscape continues to evolve, it is crucial for organizations to enhance their security posture by implementing robust detection and response strategies to counter such sophisticated malware threats.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
