The threat is distributed or promoted through targeted spear-phishing campaigns disguised as legitimate business invoices, primarily targeting Russian aerospace and electronics sectors. The phishing email impersonates a Russian research institute associated with aerospace and aviation systems and contains a password-protected attachment that deploys additional payloads on the victim’s system. The malicious campaign aims to establish persistent remote access by silently configuring AnyDesk for unattended access, exfiltrating AnyDesk configuration data to an attacker-controlled email account, and implementing persistence mechanisms to retain long-term control of the compromised host. The threat actor employs living-off-the-land (LotL) techniques by abusing legitimate software to blend into normal system activity.
Initial access is typically achieved through invoice- or document-themed spear-phishing emails containing password-protected archives, which deploy self-extracting installers and command scripts. Subsequent stages leverage trusted utilities such as AnyDesk, Blat, and WinRAR, while additional utilities like Tray Minimizer are used to reduce user visibility. The attack uses an aerospace-themed lure and observed tooling closely aligns with previously documented campaigns attributed to Rare Werewolf (also known as Librarian Ghouls), a threat actor known to target organizations in Russia, Belarus, and Kazakhstan. The campaign is designed to establish and maintain covert remote access to the victim environment, exfiltrate AnyDesk deployment and configuration data, and conceal its presence on the compromised system.[/subscribe_to_unlock_form]
The threat is distributed or promoted through targeted spear-phishing campaigns disguised as legitimate business invoices, primarily targeting Russian aerospace and electronics sectors. The phishing email impersonates a Russian research institute associated with aerospace and aviation systems and contains a password-protected attachment that deploys additional payloads on the victim’s system. The malicious campaign aims to establish persistent remote access by silently configuring AnyDesk for unattended access, exfiltrating AnyDesk configuration data to an attacker-controlled email account, and implementing persistence mechanisms to retain long-term control of the compromised host. The threat actor employs living-off-the-land (LotL) techniques by abusing legitimate software to blend into normal system activity.
Initial access is typically achieved through invoice- or document-themed spear-phishing emails containing password-protected archives, which deploy self-extracting installers and command scripts. Subsequent stages leverage trusted utilities such as AnyDesk, Blat, and WinRAR, while additional utilities like Tray Minimizer are used to reduce user visibility. The attack uses an aerospace-themed lure and observed tooling closely aligns with previously documented campaigns attributed to Rare Werewolf (also known as Librarian Ghouls), a threat actor known to target organizations in Russia, Belarus, and Kazakhstan. The campaign is designed to establish and maintain covert remote access to the victim environment, exfiltrate AnyDesk deployment and configuration data, and conceal its presence on the compromised system.[emaillocker id="1283"]
their analysis demonstrates a multi-stage phishing campaign that abuses legitimate software to establish persistent remote access while minimizing its forensic footprint. Rather than relying on custom malware, the operators leverage trusted utilities including AnyDesk, Blat, and Tray Minimizer to achieve persistence, exfiltrate deployment data, conceal remote access activity, and remove execution artifacts. This living-off-the-land approach enables the campaign to blend into legitimate system activity while reducing the likelihood of detection.
| Tactic | Technique Id | Technique | Sub-technique |
|---|---|---|---|
| Initial access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Execution | T1204.002 | User Execution | Malicious File |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defence Evasion | T1027 | Obfuscated Files or Information | - |
| Defence Evasion | T1036 | Masquerading | - |
| Defence Evasion | T1564.003 | Hide Artifacts | Hidden Window |
| Collection | T1005 | Data from Local System | - |
| Collection | T1560 | Archive Collected Data | - |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1020 | Automated Exfiltration | - |
The following reports contain further technical details:
[/emaillocker]