FIN7's Advanced Anubis Backdoor: Full System Control on Windows

TL;DR

The FIN7 cybercrime group has developed a sophisticated Python-based backdoor called Anubis, which allows attackers to gain full remote control over compromised Windows systems. This malware, distributed via phishing and hosted on compromised SharePoint sites, uses obfuscation techniques to evade detection and poses a significant security risk.

Introduction

The FIN7 cybercrime group, also known as Savage Ladybug, has developed a new Python-based malware called the Anubis Backdoor. This sophisticated tool enables attackers to gain full remote control over infected Windows systems, execute shell commands, and perform system operations while remaining undetected by most antivirus solutions.

Delivery and Execution

The Anubis Backdoor is distributed as a ZIP package containing a Python script and multiple Python executables. Some variants execute the obfuscated payload immediately after writing it to disk, while others load the payload and call a specific function from it. This variability in execution methods demonstrates the malware’s adaptability and the threat actor’s efforts to diversify their delivery mechanisms for different operational scenarios¹.

Obfuscation and Encryption

The backdoor uses a Python script with approximately 30 lines as the main entry point, which decrypts and executes the real payload. It employs AES-CBC encryption with base64 encoding and loads the payload via the exec function. The obfuscation method involves replacing variable names with similar characters, making analysis harder but not overly complex².

Communication and Command Execution

The Anubis Backdoor communicates via a single TCP socket and switches servers if one fails. Messages, including the groupname, are base64-encoded. Upon execution, it sends the process ID and local IP to the C2 server. To determine the local IP, it creates a UDP socket to 8.8.8.8 on port 80, letting the OS resolve the appropriate address without actual traffic. Each payload contains a groupname and two IPs for communication³.

Functionalities

The backdoor supports multiple commands, including:

• Retrieving IP
• Modifying the registry
• Executing Python code
• Loading DLLs into memory

Remote code execution allows the malware to load malicious functionalities dynamically. It supports keylogging, file transfers, and registry modifications, continuously processing commands until termination using subprocess.Popen for shell execution⁴.

Threat Assessment

AnubisBackdoor is a stealthy Python-based tool used by FIN7 to maintain access to compromised systems. Despite its mild obfuscation, it remains fully undetected (FUD) by most antivirus solutions. Delivered via malspam campaigns, with compromised SharePoint instances serving the payload, it poses a significant threat to enterprise environments. Variants of the backdoor execute the payload differently, suggesting ongoing refinement by attackers⁵.

Conclusion

The Anubis Backdoor represents a significant advancement in the capabilities of the FIN7 cybercrime group. Its ability to evade detection and gain full system control makes it a potent threat to Windows systems. Organizations must remain vigilant and implement robust security measures to protect against such sophisticated attacks.

Additional Resources

For further insights, check:

• Experts Found Infrastructure FIN7
• FIN7 Fake Cybersecurity Firm
• FIN7 Members Arrested

References

1. PRODAFT (2025). “Anubis Backdoor Overview”. Catalyst PRODAFT. Retrieved 2025-04-02. ↩︎

2. Security Affairs (2025). “New Advanced FIN7’s Anubis Backdoor Allows to Gain Full System Control on Windows”. Security Affairs. Retrieved 2025-04-02. ↩︎

3. PRODAFT (2025). “Anubis Backdoor Overview”. Catalyst PRODAFT. Retrieved 2025-04-02. ↩︎

4. Security Affairs (2025). “New Advanced FIN7’s Anubis Backdoor Allows to Gain Full System Control on Windows”. Security Affairs. Retrieved 2025-04-02. ↩︎

5. PRODAFT (2025). “Anubis Backdoor Overview”. Catalyst PRODAFT. Retrieved 2025-04-02. ↩︎