AnyDesk Phishing Attack Uses Scheduled Task Persistence and Artifact Deletion to Evade Detection

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A new phishing campaign is turning a trusted remote access tool into a long term backdoor for espionage.

Attackers hide behind fake invoices to slip past email filters, and once inside a network they rely on everyday IT software rather than custom malware, making the intrusion harder to spot.

The campaign targets Russian aerospace and aviation organizations using an invoice themed lure.

Rather than deploying an obvious virus, the operators quietly configure AnyDesk for unattended remote access, then erase their tracks. The goal appears to be long term, silent control of infected machines.

Analysts from Seqrite identified and documented this activity, tracing how a single email attachment leads to a fully configured remote access tool and a cleaned up system.

Their research shows a chain that starts with a password protected archive and ends with scheduled task persistence and deletion of leftover files.

Seqrite said in a report shared with Cyber Security News (CSN) that the email impersonates a real Russian federal research institute tied to aerospace work, sent from a domain registered only recently to mimic the genuine organization.

Infection Chain (Source – Seqrite)

It is addressed to undisclosed recipients rather than a named contact, suggesting it went to many targets at once, a pattern that points to a broader intelligence gathering effort.

Researchers note the tactics resemble a threat actor known as Rare Werewolf, also called Librarian Ghouls, which targets industrial, engineering, and aerospace organizations across Russia, Belarus, and Kazakhstan.

AnyDesk Phishing Attack Uses Scheduled Task Persistence and Artifact Deletion

The attack begins with an email carrying a password protected archive labeled as an invoice, with the password placed in the message body so victims can open it while scanners cannot inspect the contents.

Phishing email with password-protected archive (Source – Seqrite)

Inside is an installer built with a legitimate packaging tool, which drops files into a hidden folder while showing a decoy PDF to maintain the illusion of a genuine invoice.

A series of batch files run one after another, first reaching out to a remote server to download a second password protected archive containing the real payload.

That archive unpacks a portable copy of AnyDesk, a command line email tool, a compression utility, and a small program called Tray Minimizer that hides application windows from the user.

The script pauses for about a minute, likely to outlast automated sandbox checks. It then configures AnyDesk with a preset password so the attacker can connect without prompts appearing on screen, and quietly launches the tool in the background.

Once AnyDesk is running, the script packages its configuration files, connection settings, and certificates into a new password protected archive.

That archive is emailed out through a legitimate SMTP mailing utility to an attacker controlled address, giving the operators what they need to manage the session later.

A scheduled task disguised as a routine update process ensures the hidden tray tool, and by extension AnyDesk, restarts every time the victim logs in.

After persistence is established, the malicious script deletes the command files, text logs, archives, executables, and decoy PDF used during setup.

This cleanup removes most of the forensic evidence an investigator would rely on, making the intrusion harder to reconstruct afterward.

Using Tray Minimizer to keep AnyDesk out of sight is an effective evasion trick, since the remote access tool itself is legitimate software many security products will not flag.

Extracted rar file Data (Source – Seqrite)

Combined with scheduled task persistence and file deletion, the approach favors blending into normal activity over deploying obviously malicious code.

Researchers have not observed cryptocurrency mining in this specific sample, though related campaigns from the same actor have deployed mining tools after establishing persistent access. Financial gain may still be a secondary objective once remote control is secured.

Organizations in aerospace and related industrial sectors should treat unexpected invoice emails with caution, especially those from newly registered domains.

Watching for unauthorized scheduled tasks and unexpected remote access installations can help catch this activity early. Restricting outbound mail traffic to approved servers may also limit stolen data exfiltration.

Because the tooling here consists entirely of legitimate, widely used utilities, signature based detection may struggle to flag the intrusion.

The behavioral monitoring focused on scheduled task creation and archive exfiltration offers a more reliable path to catching this activity.

Indicators of Compromise (IoCs):-

Type Indicator Description
SHA256 Hash 47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4 Malicious executable/dropper component 
SHA256 Hash 12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33 Related payload file hash 
SHA256 Hash f57e010541fb4ccbf23aefc4a827f753a6ff3f8792d9c04c3eea83f6963c6bae Related payload file hash 
SHA256 Hash 0dc0fa727f900ed5033f46f8ba6cf2d97d20ab95fd334cabc0f216da6e0622b0 Related payload file hash 
IP Address 198.54.120[.]13 Attacker infrastructure 
IP Address 194.87.57[.]81 Attacker infrastructure 
IP Address 2.23.88[.]201 Attacker infrastructure 
IP Address 109.106.178.14 Attacker infrastructure 
Domain aviatronika[.]online Spoofed lookalike domain 
Domain vniir-avia[.]space Spoofed domain impersonating VNIIR institute, used to send phishing email 
Domain fgub-vniir[.]space Spoofed lookalike domain 
Domain vniir-info[.]space Spoofed lookalike domain 
Domain nova-stream[.]site Spoofed lookalike domain 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.