Following the Trail of Anubis: Forums, Onion Sites, and the Rise of a Ransomware Operation


Some ransomware operations appear suddenly. A new name surfaces, victims begin to appear, and attention quickly shifts to the impact of the attacks. What often goes unnoticed is everything that happens before that point.

Behind every ransomware operation is a period of growth. Infrastructure is built, relationships are formed, and an online presence gradually takes shape across corners of the internet that most people never see. Traces of that activity are often scattered across forums, hidden services, and other platforms, leaving behind a digital trail that can reveal how an operation evolved long before it gained wider attention.

This investigation follows that trail.

Using StealthMole, a series of seemingly unrelated discoveries led to a deeper examination of Anubis, a ransomware operation that has steadily expanded its presence across the underground ecosystem. What began as a routine inquiry soon developed into a broader effort to understand how the operation established itself, promoted its services, and grew its network over time.

The sections that follow reconstruct that journey, tracing the digital footprint left behind by Anubis and the individuals operating under its banner.

Following the First Lead

The investigation began after Anubis published a ransomware listing targeting a South Korean company operating in the semiconductor and industrial equipment sector. The victim entry was identified through StealthMole's Ransomware Monitoring module and directed visitors to a dedicated page hosted on the group's leak platform:

  • om6q4a*********************************u4aqd.onion/

At first glance, the listing appeared similar to many ransomware leak posts regularly published across the dark web. However, rather than focusing solely on the victim, the investigation turned toward the operation responsible for publishing the claim.

A broader search for Anubis within StealthMole's Ransomware Monitoring module revealed that the group had publicly listed 83 victims between February 2025 and June 2026, suggesting that the latest attack was part of a much larger operation. Additional searches across StealthMole's monitoring datasets uncovered references to the same leak infrastructure in connection with other organizations, including a US county, further indicating that the operation had maintained an active presence for an extended period.

While the victim listings provided a starting point, they offered only a limited view of the operation itself. To better understand who was behind Anubis and how the group had established its presence, the investigation shifted beyond the leak site and began tracing the digital footprint surrounding the operation. That search soon led to a recurring identity that appeared across multiple underground platforms.

The Emergence of Anubis Media

As the investigation moved beyond victim listings and into the wider footprint surrounding Anubis, one name began appearing repeatedly across multiple platforms: Anubis Media.

The earliest discovery was an account on the XSS forum, registered on 16 November 2024 under the profile:

  • https://xss.***/members/4*****8/

The account's profile description translated to "We convey information," a message that would later align closely with the branding and public image promoted by the Anubis operation. At the time, however, there was little to suggest how significant this persona would become.

Further investigation uncovered the same identity across multiple underground communities, including:

  • https://breachforums.**/User-Anubis-media
  • https://breachforums.**/User-Anubis-media
  • https://breachforums.**/User-Anubis-media

Rather than appearing as isolated registrations, these accounts demonstrated a consistent effort to establish a recognizable presence across several well-known cybercriminal forums.

The same branding also appeared outside traditional forum environments. An X account operating under the handle Anubis*****a was identified at:

  • https://x.com/Anubis******a

The account was used to publish updates related to the operation, share infrastructure announcements, and promote content associated with the Anubis brand.

It remained unclear whether Anubis Media represented a single operator, a spokesperson, or a broader public-facing identity used by the group. What was clear, however, was that the name appeared consistently across multiple platforms and increasingly served as a common thread connecting disparate pieces of the investigation.

As additional findings emerged, Anubis Media would become closely associated with the promotion of services, recruitment efforts, and infrastructure linked to the Anubis operation.

Building a Presence Across the Underground

The growing presence of Anubis Media across multiple platforms was accompanied by a steady stream of advertisements promoting various services associated with the operation. These posts provided a clearer view of how the group was attempting to establish itself within the underground ecosystem and attract potential partners.

One of the earliest examples was identified on ReHub:

  • https://rehubcom.***/threads/*****/

The post advertised a corporate access monetization program built around a profit-sharing model. Similar advertisements were later discovered on several BreachForums instances as well as mirrored versions.

  • https://breachforums.**/Thread********monetization-50-50-Earn

The advertisements sought individuals with access to corporate environments and invited them to collaborate with the operation under a 50/50 revenue-sharing arrangement. According to the posts, preferred targets included organizations located in the United States, Canada, Europe, and Australia. The advertisements specifically referenced access types such as VPNs, RDWeb deployments, Citrix environments, remote code execution opportunities, and other forms of corporate network access.

The same activity was not limited to a single forum. Similar recruitment efforts were identified on XSS, where the Anubis Media persona promoted access monetization services to another underground audience. The repeated appearance of these advertisements across multiple communities suggested a deliberate effort to expand the operation's network of partners rather than relying solely on internally obtained access.

At this stage, the investigation revealed an operation focused not only on public visibility but also on building relationships within the cybercriminal ecosystem. The recurring recruitment campaigns indicated that Anubis was actively seeking opportunities to acquire access, attract collaborators, and increase its operational reach.

While these advertisements demonstrated how the operation sought to expand, they also raised another question. What services were those partners ultimately being recruited to support? The answer emerged through a separate set of posts that revealed the group's ransomware ambitions.

From Leak Operation to Ransomware Program

The purpose behind Anubis' recruitment efforts became clearer following the discovery of a dedicated thread on the RAMP forum:

  • https://ramp4u.**/threads/data-ransom-ransomware-anubis*****

Created by the user superSonic on 23 February 2025, the post provided one of the earliest detailed descriptions of the services being offered under the Anubis brand. Notably, the timing closely aligned with the emergence of the group's leak infrastructure, suggesting that the operation's public-facing presence and recruitment efforts developed in parallel.

Rather than advertising a single service, the RAMP post presented Anubis as a multi-faceted operation built around two primary offerings: ransomware and data extortion.

The ransomware component promoted support for Windows, Linux, NAS, and ESXi environments while highlighting features designed to maximize operational impact. The advertisement described capabilities such as network-wide deployment, privilege escalation, shadow copy removal, and disruption of virtualized environments. The post also referenced multiple encryption modes, including a "Lite Locker" option and a destructive wipe mode.

Alongside the ransomware offering, the thread introduced a separate "Data Ransom" model. Unlike traditional ransomware campaigns that rely on encryption, this service focused on monetizing stolen corporate information. Individuals in possession of sensitive company data were invited to collaborate with the operation, allowing Anubis to leverage its existing infrastructure and publicity channels to pressure victims and generate revenue from leaked information.

This distinction proved particularly significant. The model suggested that Anubis was not solely dependent on ransomware deployments to generate income. Instead, the operation appeared willing to profit from both network intrusions and independently acquired datasets, broadening the range of opportunities available to potential partners.

The RAMP advertisement also outlined preferred target regions, including the United States, Canada, Europe, and Australia. At the same time, the post stated that organizations associated with government, education, non-profit sectors, BRICS countries, and former Soviet states were excluded from the group's stated targeting criteria.

By this stage of the investigation, Anubis no longer appeared to be simply a ransomware leak site or a collection of forum profiles. The evidence pointed toward an operation actively recruiting affiliates, acquiring access opportunities, and promoting multiple revenue streams under a single brand.

As the investigation continued, attention shifted from the services being advertised to the infrastructure supporting them.

Mapping the Anubis Infrastructure

The investigation's next phase focused on the infrastructure supporting the Anubis operation. Using StealthMole's Dark Web Tracker, multiple pages associated with the group's leak platform were identified, including dedicated sections for news, rules, frequently asked questions, and operational information.

At the center of this infrastructure was the group's primary leak site:

  • om6q4a6*************************************4aqd.onion

The site served as the public-facing hub for the operation, hosting victim listings, announcements, and guidance for both affected organizations and prospective collaborators. Several of the pages contained contact information and references that helped connect the infrastructure to identities previously identified during the investigation.

One of the most significant findings appeared within the Rules section, where the operation publicly provided multiple communication channels:

  • qTox ID: 354217********************************************948F
  • Email: anu*****t@onionmail.org
  • PGP Fingerprint: D59C**********************5A1

The same page also directed visitors to several forum profiles previously encountered during the investigation, including the RAMP account associated with superSonic and the Anubis Media presence on underground forums. These references provided an important bridge between the operation's infrastructure and its public recruitment activities.

Further examination of the platform revealed that Anubis had invested in maintaining a structured and regularly updated environment rather than a simple victim listing page. Sections dedicated to operational announcements, leak publications, and user guidance suggested an effort to create a recognizable and persistent presence within the underground ecosystem.

Additional infrastructure surfaced through the group's X account, which announced a new onion domain on 12 June 2025:

  • anubis*************************************y6ad.onion

The domain was described as a "New Node DLS." While the service appeared inactive or under maintenance at the time of investigation, the announcement provided evidence that the operation was actively expanding or maintaining additional infrastructure beyond its primary leak platform.

These findings revealed an operation that had developed far beyond a single leak site. The infrastructure connected communication channels, forum identities, victim publications, and operational announcements into a unified ecosystem supporting the broader Anubis brand.

Public Messaging and Brand Development

While the technical infrastructure provided insight into how Anubis operated, the content published across its platforms offered a different perspective into how the group wanted to be perceived.

Throughout the investigation, the Anubis operation consistently avoided presenting itself solely as a ransomware group. Instead, references across its leak platform, forum accounts, and social media presence repeatedly emphasized themes more commonly associated with information publishing and disclosure.

This approach was particularly visible through the Anubis Media identity, which appeared across multiple underground platforms and served as the public-facing voice of the operation. The account maintained a presence on X, BreachForums, XSS, and other communities, regularly promoting updates, services, and infrastructure associated with the Anubis brand.

The operation's About page reinforced this image by describing Anubis as a media-focused platform dedicated to publishing information. Similar messaging appeared elsewhere throughout the ecosystem, including the XSS profile description associated with Anubis Media, which stated: "We convey information."

The same narrative extended to the FAQ section of the leak platform. In addition to addressing victim inquiries, the page openly invited communication from individuals possessing unpublished corporate information and offered collaboration opportunities involving exclusive data. Separate sections also encouraged engagement from journalists and media representatives interested in discussing leaked information.

These findings suggest that Anubis was deliberately cultivating an identity that extended beyond traditional ransomware activity. Rather than presenting itself exclusively as an extortion operation, the group consistently incorporated media-oriented language into its public communications, recruitment efforts, and platform design.

Whether this branding strategy was intended to attract partners, increase visibility, or distinguish the operation from competing groups remains unclear. However, the consistency of the messaging across multiple platforms indicates that it formed a deliberate part of the Anubis identity rather than an isolated marketing effort.

Conclusion

What began with a single victim listing ultimately revealed a much broader operation. By following the trail left across ransomware monitoring data, underground forums, social media accounts, and onion services, the investigation uncovered an ecosystem that extended well beyond a conventional leak site.

The findings show that Anubis invested considerable effort into establishing its presence across the underground landscape. Recruitment campaigns, access monetization programs, dedicated infrastructure, and the recurring appearance of the Anubis Media persona all point to an operation focused not only on conducting attacks but also on expanding its reach and visibility within cybercriminal communities.

While many ransomware groups become visible only after victims begin appearing on their leak sites, the Anubis case demonstrates the value of examining the activity that occurs behind the scenes. Long before an operation gains wider attention, traces of its development can often be found across the platforms, services, and communities that support its growth. By connecting those traces, it becomes possible to build a more complete understanding of how an operation evolves and positions itself within the broader ransomware ecosystem.

Editorial Note

Cybercriminal operations rarely emerge fully formed. Long before victims appear on leak sites or attacks attract public attention, traces of an operation's growth can often be found across forums, hidden services, recruitment posts, and other pieces of digital infrastructure.

While the findings presented in this report are based on artifacts identified during the investigation, attribution in cybercrime investigations is rarely absolute, and online identities can be shared, abandoned, or deliberately misleading. This case highlights how StealthMole can help investigators navigate that uncertainty by connecting information across multiple sources, enabling a clearer view of how an operation develops and establishes itself within the underground ecosystem.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com


Labels: ,

Learn more about StealthMole

Talk to our team of experts today to learn how you can manage your dark web exposure.
Request demo More Reports

Share this report