Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical CVE-2024-XXXXX in GCP Dialogflow Lets Attackers Inject Malicious Code
July 7, 2026
Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries
July 7, 2026
VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft
July 7, 2026
Home/Threats/AnyDesk Phishing Attack Uses Scheduled Tasks for Persistence, Evades Detection
Threats

AnyDesk Phishing Attack Uses Scheduled Tasks for Persistence, Evades Detection

Key Takeaways A sophisticated phishing campaign is leveraging legitimate remote access software, AnyDesk, to establish covert, long-term backdoors into target systems. The attacks primarily target...

Sarah simpson
Sarah simpson
July 7, 2026 4 Min Read
3 0

Key Takeaways

  • A sophisticated phishing campaign is leveraging legitimate remote access software, AnyDesk, to establish covert, long-term backdoors into target systems.
  • The attacks primarily target Russian aerospace and aviation organizations, using deceptive invoice emails as the initial lure.
  • Adversaries employ a multi-stage infection chain, utilizing password-protected archives, legitimate software installers, and scheduled tasks for persistence, while actively deleting forensic artifacts to evade detection.
  • The tactics bear a strong resemblance to the known threat actor group, Rare Werewolf (also known as Librarian Ghouls).
  • The use of common IT tools makes traditional signature-based detection challenging, emphasizing the need for behavioral monitoring.

A new, highly evasive phishing operation is transforming a commonly used remote access application, AnyDesk, into a persistent espionage tool. This campaign employs a clever blend of social engineering and legitimate software to establish long-term, undetected access to victim networks, primarily targeting entities within the Russian aerospace and aviation sectors.

Table Of Content

  • Key Takeaways
  • The Phishing Lure and Initial Compromise
  • Establishing Persistent Access with Legitimate Tools
  • Covering Tracks and Staying Hidden
  • Indicators of Compromise (IoCs)

Instead of deploying custom, easily identifiable malware, the attackers rely on readily available IT utilities. This approach significantly complicates detection, allowing them to maintain a low profile and achieve their objective of silent, enduring control over compromised systems. Security researchers at Seqrite have meticulously analyzed and documented this campaign, detailing the intricate steps from the initial phishing email to the establishment of a fully functional, covert remote access channel.

The Phishing Lure and Initial Compromise

The attack chain commences with a phishing email designed to mimic an invoice from a genuine Russian federal research institute associated with aerospace work. The attackers registered a new domain, such as vniir-avia[.]space, specifically to impersonate the legitimate organization. These emails are sent to undisclosed recipients, suggesting a broad, untargeted distribution aimed at intelligence gathering rather than specific individuals, as highlighted in a Seqrite report shared with Cyber Security News (CSN).

The initial email contains a password-protected archive, with the password conveniently provided within the email body. This tactic allows the archive to bypass email security scanners that might otherwise flag malicious content. Upon extraction, the archive reveals an installer created using a legitimate software packaging tool. This installer then drops various files into a hidden directory while simultaneously displaying a decoy PDF document, reinforcing the illusion of a legitimate invoice to the unsuspecting user.

Establishing Persistent Access with Legitimate Tools

Following the initial compromise, a sequence of batch scripts is executed. The first script initiates contact with a remote server, specifically 198.54.120[.]13, to download a second password-protected archive. This archive contains the primary payload, which includes a portable version of AnyDesk, a command-line email utility, a compression tool, and a small application named Tray Minimizer. The Tray Minimizer’s function is crucial for evasion, as it hides application windows from the user’s view.

The script then introduces a delay of approximately one minute, a common technique to circumvent automated sandbox analysis that often has a limited execution time. After this pause, AnyDesk is configured with a predetermined password, enabling unattended remote access for the attacker. The application is then silently launched in the background, out of the user’s sight, thanks to Tray Minimizer.

Once AnyDesk is operational, the script collects its configuration files, connection details, and certificates. These artifacts are then compressed into a new password-protected archive and exfiltrated to an attacker-controlled email address via a legitimate SMTP utility. This step provides the attackers with the necessary credentials and information to manage subsequent remote sessions. To ensure ongoing access, a scheduled task, cleverly disguised as a routine system update, is created. This task ensures that the hidden Tray Minimizer, and consequently AnyDesk, automatically restarts each time the compromised user logs in.

Covering Tracks and Staying Hidden

A hallmark of this campaign is its meticulous effort to erase traces of the intrusion. After establishing persistence, the malicious script systematically deletes all command files, temporary text logs, archives, executables, and the decoy PDF used during the setup phase. This comprehensive cleanup significantly hinders forensic investigations, making it exceptionally difficult for security teams to reconstruct the attack timeline or identify the initial entry points.

The combination of using a legitimate remote access tool like AnyDesk (which many security products would not flag as inherently malicious), the Tray Minimizer for stealth, scheduled tasks for persistence, and aggressive artifact deletion creates a highly effective evasion strategy. This approach prioritizes blending in with normal system activity, making it far more challenging to detect than attacks relying on overtly malicious code. While cryptocurrency mining has not been observed in this specific instance, researchers note that related campaigns attributed to the same threat actor have deployed mining tools after gaining persistent access, suggesting potential financial motivations as a secondary objective.

The tactics and targets of this campaign align with those of the threat actor known as Rare Werewolf, also referred to as Librarian Ghouls. This group is known for targeting industrial, engineering, and aerospace organizations across Russia, Belarus, and Kazakhstan.

Indicators of Compromise (IoCs)

Type Indicator Description
SHA256 Hash 47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4 Malicious executable/dropper component Seqrite Research
SHA256 Hash 12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33 Related payload file hash Seqrite Research
SHA256 Hash f57e010541fb4ccbf23aefc4a827f753a6ff3f8792d9c04c3eea83f6963c6bae Related payload file hash <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/be150480-7360-4f51-8

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Ubiquiti Discloses 25 UniFi Vulnerabilities, 2 Critical

Next Post

GitHub Copilot Chat Critical Vulnerability Exposes Private Repository Data

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AnyDesk Phishing Attack Uses Scheduled Tasks for Persistence, Evades Detection
July 7, 2026
Ubiquiti Discloses 25 UniFi Vulnerabilities, 2 Critical
July 7, 2026
STOCKSTAY Backdoor Targets Ukraine with Malicious RDP Files and WinRAR Exploit
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us