Aerospace Phishing Campaign Uses AnyDesk for Remote Access and Data Exfiltration

Aerospace Phishing Campaign Uses AnyDesk for Remote Access and Data Exfiltration

First seen 7 Jul 2026, 18:24 UTC GbhackersCybersecuritynewswww.seqrite.com 82% similarity 70.5

Article Content

Browse articles
ThreatCluster

A spear-phishing campaign targets the aerospace sector, impersonating the Russian research institute VNIIR. Attackers use a spoof domain (vniir-avia.space) to deliver a password-protected RAR archive containing a multi-stage dropper. This dropper installs a portable version of AnyDesk configured for silent remote access and exfiltrates sensitive configuration data via the Blat SMTP utility. The phishing emails feature fake invoices to bypass email filters, and the campaign employs living-off-the-land tactics, utilizing legitimate software to evade detection. Persistence is achieved through a scheduled task named 'Auto apdate' that runs at logon. The campaign's sophistication and use of common IT tools make it a significant threat to organizations in the aerospace industry.

Key Points: • Attackers use a spear-phishing campaign targeting the aerospace sector. • The campaign employs AnyDesk for remote access and Blat for data exfiltration. • Persistence is achieved through scheduled tasks and legitimate software to evade detection.

ThreatCluster AI

Timeline

2026-07-07
Phishing campaign identified
A targeted spear-phishing campaign impersonating VNIIR was reported, utilizing a spoof domain to deliver malicious payloads.
Gbhackers
2026-07-07
AnyDesk configuration exfiltration method revealed
The campaign exfiltrates AnyDesk configuration data using Blat SMTP, highlighting its sophisticated approach to remote access.
Gbhackers
2026-07-07
Living-off-the-land tactics confirmed
The attackers utilize legitimate software like AnyDesk and Blat to maintain stealth and evade detection.
Cybersecuritynews

Community

Browse all →