Gbhackers
Aerospace Phishing Campaign Exploits AnyDesk for Covert Remote Access
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A spear-phishing campaign targets the aerospace sector, using fake invoices to deliver a password-protected RAR archive containing AnyDesk and Blat utilities. The attackers impersonate the Russian research institute VNIIR, sending emails from a spoofed domain. Once the archive is opened, a multi-stage dropper installs AnyDesk for persistent remote access and exfiltrates configuration data via SMTP. The campaign employs living-off-the-land techniques, utilizing legitimate software to evade detection. A scheduled task is created for persistence, while temporary artifacts are deleted to hinder forensic analysis. This method allows attackers to maintain covert access for espionage purposes. The Seqrite Threat Research Team has confirmed the ongoing nature of this campaign.
Key Points: • Attackers use spear-phishing with fake invoices to deliver malware. • The campaign targets the aerospace sector, specifically impersonating a Russian institute. • Legitimate tools like AnyDesk and Blat are exploited for covert remote access.