Quick Update: Kraken Completes Its Rebrand to Anubis
Archived: 2026-04-05 16:21:11 UTC
Threat Intelligence
February 22, 2022 |by ZeroFox Team
In a blog post dated February 16, 2022, ZeroFox Intelligence detailed Kraken, a new botnet targeting Windows
that we discovered in October 2021. The botnet is still undergoing active development, experimenting with new
features, and attempting to find a brand for itself. After our publication, ZeroFox learned that the botnet has
undergone a rebranding to more closely align with its administration dashboard. Sometime between January 4,
2022, and January 7, 2022, the operator(s) began using the names “Anubis” and “Pepega” for the project
internally.
Recommendations
Ensure antivirus and intrusion detection software is up to date with all patches and rule sets.
Enable two-factor authentication for all organizational accounts to help mitigate phishing and credential
stuffing attacks.
Maintain regularly scheduled backup routines, including off-site storage and integrity checks.
Avoid opening unsolicited attachments and never click suspicious links.
Log and monitor all administrative actions as much as possible. Alert on any suspicious activity.
Review network logs for potential signs of compromise and data egress.
Details
ZeroFox Intelligence has been following the development of this previously unknown botnet since October 2021.
Originally named “Kraken,” builds discovered between January 4, 2022, and January 7, 2022, reveal that the
internal name has changed.
https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/
Page 1 of 4

Figure 1. On the left, a build from January 4, 2022; on the right, a January 7, 2022, build.
Source: ZeroFox Intelligence
As seen in Figure 1, the Golang project path has changed from
“C:\Users\666\Desktop\Bobabubs\kraken_2022” to “\root\anubis”, which more closely aligns with the
dashboard after it received its own rebrand. The source code also appears to have been merged into one main file
with most of the function names being obfuscated, as opposed to the previously separated but clear functionality.
Another notable change made is to the main source file. The name “pepega” may be in reference to a Twitch
emote of the same name, which is itself a variation of the meme “Pepe the Frog.”
Anubis Dashboard No Longer Available
Shortly after our publication, ZeroFox Intelligence also observed that the Anubis dashboard is no longer available.
Attempting to view the dashboard now results in a “404 page not found” message being displayed.
New Exfiltration Targets
In addition to the previously-added cryptocurrency wallets, Anubis now appears to be targeting specific
Chromium-based browsers. Builds obtained by ZeroFox Intelligence from February 17, 2022, onwards have
added the following paths targeting the Brave, Google Chrome, and Microsoft Edge browsers:
\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Cookies
\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/
Page 2 of 4

Figure 2. Multiple Chromium-based web browser paths appearing in the latest Anubis build
Source: ZeroFox Intelligence
Until recently, Anubis relied entirely on secondary payloads such as Redline to steal data from victims. If this
trend of feature additions continues, Anubis may become capable of doing the job itself, ending its reliance on
third-party infostealers.
Conclusion
The additional capability to target a victim's browser data seems limited to just cookie data currently. Whether
Anubis decides to collect more data (such as saved credentials and browser history) or even target more browsers
based on the Chromium source currently remains to be seen. Though the pace of Anubis’ development has slowed
down since its initial discovery, the various changes its operator(s) are making indicate they are still deciding what
the future of this botnet holds. ZeroFox will continue to monitor this emerging botnet as it evolves.
MITRE ATT&CK
ID Description
T1027.002 Obfuscated Files or Information: Software Packing
T1033 System Owner/User Discovery
T1047 Windows Management Instrumentation
T1059.001 Command and Scripting Interpreter: PowerShell
T1059.003 Command and Scripting Interpreter: Windows Command Shell
T1082 System Information Discovery
https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/
Page 3 of 4

T1113 Screen Capture
T1132.001 Data Encoding: Standard Encoding
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1571 Non-Standard Port
IOCs
SHA256 Hashes
5d99125b0d97ba0abfcf9916c1a05081c1cc117eb2afaaab39a6f95a60e42ab3
Tags: Threat Intelligence
See ZeroFox in action
Source: https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/
https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/
Page 4 of 4