AnyDesk Phishing Attack Uses Scheduled Tasks for Persistence, Evades Detection
Key Takeaways A sophisticated phishing campaign is leveraging legitimate remote access software, AnyDesk, to establish covert, long-term backdoors into target systems. The attacks primarily target...
Key Takeaways
- A sophisticated phishing campaign is leveraging legitimate remote access software, AnyDesk, to establish covert, long-term backdoors into target systems.
- The attacks primarily target Russian aerospace and aviation organizations, using deceptive invoice emails as the initial lure.
- Adversaries employ a multi-stage infection chain, utilizing password-protected archives, legitimate software installers, and scheduled tasks for persistence, while actively deleting forensic artifacts to evade detection.
- The tactics bear a strong resemblance to the known threat actor group, Rare Werewolf (also known as Librarian Ghouls).
- The use of common IT tools makes traditional signature-based detection challenging, emphasizing the need for behavioral monitoring.
A new, highly evasive phishing operation is transforming a commonly used remote access application, AnyDesk, into a persistent espionage tool. This campaign employs a clever blend of social engineering and legitimate software to establish long-term, undetected access to victim networks, primarily targeting entities within the Russian aerospace and aviation sectors.
Table Of Content
Instead of deploying custom, easily identifiable malware, the attackers rely on readily available IT utilities. This approach significantly complicates detection, allowing them to maintain a low profile and achieve their objective of silent, enduring control over compromised systems. Security researchers at Seqrite have meticulously analyzed and documented this campaign, detailing the intricate steps from the initial phishing email to the establishment of a fully functional, covert remote access channel.
The Phishing Lure and Initial Compromise
The attack chain commences with a phishing email designed to mimic an invoice from a genuine Russian federal research institute associated with aerospace work. The attackers registered a new domain, such as vniir-avia[.]space, specifically to impersonate the legitimate organization. These emails are sent to undisclosed recipients, suggesting a broad, untargeted distribution aimed at intelligence gathering rather than specific individuals, as highlighted in a Seqrite report shared with Cyber Security News (CSN).
The initial email contains a password-protected archive, with the password conveniently provided within the email body. This tactic allows the archive to bypass email security scanners that might otherwise flag malicious content. Upon extraction, the archive reveals an installer created using a legitimate software packaging tool. This installer then drops various files into a hidden directory while simultaneously displaying a decoy PDF document, reinforcing the illusion of a legitimate invoice to the unsuspecting user.
Establishing Persistent Access with Legitimate Tools
Following the initial compromise, a sequence of batch scripts is executed. The first script initiates contact with a remote server, specifically 198.54.120[.]13, to download a second password-protected archive. This archive contains the primary payload, which includes a portable version of AnyDesk, a command-line email utility, a compression tool, and a small application named Tray Minimizer. The Tray Minimizer’s function is crucial for evasion, as it hides application windows from the user’s view.
The script then introduces a delay of approximately one minute, a common technique to circumvent automated sandbox analysis that often has a limited execution time. After this pause, AnyDesk is configured with a predetermined password, enabling unattended remote access for the attacker. The application is then silently launched in the background, out of the user’s sight, thanks to Tray Minimizer.
Once AnyDesk is operational, the script collects its configuration files, connection details, and certificates. These artifacts are then compressed into a new password-protected archive and exfiltrated to an attacker-controlled email address via a legitimate SMTP utility. This step provides the attackers with the necessary credentials and information to manage subsequent remote sessions. To ensure ongoing access, a scheduled task, cleverly disguised as a routine system update, is created. This task ensures that the hidden Tray Minimizer, and consequently AnyDesk, automatically restarts each time the compromised user logs in.
Covering Tracks and Staying Hidden
A hallmark of this campaign is its meticulous effort to erase traces of the intrusion. After establishing persistence, the malicious script systematically deletes all command files, temporary text logs, archives, executables, and the decoy PDF used during the setup phase. This comprehensive cleanup significantly hinders forensic investigations, making it exceptionally difficult for security teams to reconstruct the attack timeline or identify the initial entry points.
The combination of using a legitimate remote access tool like AnyDesk (which many security products would not flag as inherently malicious), the Tray Minimizer for stealth, scheduled tasks for persistence, and aggressive artifact deletion creates a highly effective evasion strategy. This approach prioritizes blending in with normal system activity, making it far more challenging to detect than attacks relying on overtly malicious code. While cryptocurrency mining has not been observed in this specific instance, researchers note that related campaigns attributed to the same threat actor have deployed mining tools after gaining persistent access, suggesting potential financial motivations as a secondary objective.
The tactics and targets of this campaign align with those of the threat actor known as Rare Werewolf, also referred to as Librarian Ghouls. This group is known for targeting industrial, engineering, and aerospace organizations across Russia, Belarus, and Kazakhstan.
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|---|---|
| SHA256 Hash | 47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4 | Malicious executable/dropper component Seqrite Research |
| SHA256 Hash | 12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33 | Related payload file hash Seqrite Research |
| SHA256 Hash | f57e010541fb4ccbf23aefc4a827f753a6ff3f8792d9c04c3eea83f6963c6bae | Related payload file hash <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/be150480-7360-4f51-8
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources. |



No Comment! Be the first one.