Aerospace Phishing Campaign Exploits AnyDesk for Covert Remote Access

Aerospace Phishing Campaign Exploits AnyDesk for Covert Remote Access

First seen 7 Jul 2026, 18:24 UTC GbhackersCybersecuritynewswww.seqrite.com 80% similarity 71.5

Article Content

Browse articles
ThreatCluster

A spear-phishing campaign targets the aerospace sector, using fake invoices to deliver a password-protected RAR archive containing AnyDesk and Blat utilities. The attackers impersonate the Russian research institute VNIIR, sending emails from a spoofed domain. Once the archive is opened, a multi-stage dropper installs AnyDesk for persistent remote access and exfiltrates configuration data via SMTP. The campaign employs living-off-the-land techniques, utilizing legitimate software to evade detection. A scheduled task is created for persistence, while temporary artifacts are deleted to hinder forensic analysis. This method allows attackers to maintain covert access for espionage purposes. The Seqrite Threat Research Team has confirmed the ongoing nature of this campaign.

Key Points: • Attackers use spear-phishing with fake invoices to deliver malware. • The campaign targets the aerospace sector, specifically impersonating a Russian institute. • Legitimate tools like AnyDesk and Blat are exploited for covert remote access.

ThreatCluster AI

Timeline

2026-07-07
Phishing campaign identified
A targeted spear-phishing campaign was confirmed, using aerospace-themed invoices to deliver malware.
Gbhackers
2026-07-07
Attack method detailed
The campaign uses a multi-stage dropper to install AnyDesk and exfiltrate configuration data via Blat SMTP.
Cybersecuritynews

Community

Browse all →