Gbhackers
Aerospace Phishing Campaign Uses AnyDesk for Remote Access and Data Exfiltration
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A spear-phishing campaign targets the aerospace sector, impersonating the Russian research institute VNIIR. Attackers use a spoof domain (vniir-avia.space) to deliver a password-protected RAR archive containing a multi-stage dropper. This dropper installs a portable version of AnyDesk configured for silent remote access and exfiltrates sensitive configuration data via the Blat SMTP utility. The phishing emails feature fake invoices to bypass email filters, and the campaign employs living-off-the-land tactics, utilizing legitimate software to evade detection. Persistence is achieved through a scheduled task named 'Auto apdate' that runs at logon. The campaign's sophistication and use of common IT tools make it a significant threat to organizations in the aerospace industry.
Key Points: • Attackers use a spear-phishing campaign targeting the aerospace sector. • The campaign employs AnyDesk for remote access and Blat for data exfiltration. • Persistence is achieved through scheduled tasks and legitimate software to evade detection.