Phishing Campaign Leverages AnyDesk for Stealthy Remote Access in Russian Aerospace Sector
A new phishing campaign targets Russian aerospace and aviation organizations with fake invoices to deploy AnyDesk for unattended remote access, employing scheduled tasks for persistence and artifact deletion to evade detection.

A sophisticated phishing campaign is exploiting trusted remote access software, AnyDesk, to establish long-term, silent control over systems within Russian aerospace and aviation organizations. The attackers employ a multi-stage approach, beginning with a deceptive email containing a password-protected archive masquerading as an invoice. This tactic is designed to bypass email security filters, as the password provided in the email body allows the recipient to open the archive while automated scanners cannot inspect its contents.
Once the archive is opened, it deploys an installer that drops files into a hidden directory and presents a decoy PDF to maintain the illusion of a legitimate invoice. A series of batch files then execute, initiating contact with a remote server to download a second password-protected archive. This secondary archive contains the core payload: a portable version of AnyDesk, a command-line email tool, a compression utility, and a utility named Tray Minimizer, which is used to hide application windows from the user.
The attackers ensure their presence is persistent by configuring AnyDesk for unattended remote access with a preset password, allowing them to connect without user interaction. Crucially, a scheduled task is created, disguised as a routine update process, to ensure the AnyDesk tool automatically restarts every time the victim logs into their system. This establishes a robust persistence mechanism that is difficult to detect.
Following the establishment of persistence, the malicious script meticulously cleans up its tracks. It deletes all command files, logs, archives, executables, and the decoy PDF used during the initial stages of the attack. This thorough cleanup process significantly hinders forensic analysis and makes it challenging for security professionals to reconstruct the intrusion and identify the attack vector.
Researchers from Seqrite, who identified this campaign, note that the tactics employed bear resemblance to the activities of the threat actor known as Rare Werewolf (also referred to as Librarian Ghouls). This actor has a history of targeting industrial, engineering, and aerospace organizations across Russia, Belarus, and Kazakhstan, suggesting a potential link and a focused intelligence-gathering effort.
The campaign's reliance on legitimate, widely-used IT software like AnyDesk, combined with techniques such as scheduled task persistence and artifact deletion, allows it to blend seamlessly into normal network activity. This approach prioritizes stealth and evasion over the deployment of easily detectable custom malware, making signature-based detection less effective.
While the primary objective appears to be espionage through unattended remote access, the possibility of secondary financial gain cannot be ruled out, as similar campaigns by the same actor have deployed cryptocurrency mining tools. Organizations, particularly those in the aerospace and industrial sectors, are advised to exercise extreme caution with unsolicited invoice emails, especially those originating from newly registered domains, and to monitor for unauthorized scheduled tasks and unexpected remote access installations.