Threat Advisory

Rare Werewolf Uses Spear Phishing to Deploy AnyDesk for Remote Access

Threat: Phishing Campaign
Threat Actor Name: Ghoul
Threat Actor Type: Financially Motivated
Targeted Region: Russia, Belarus, Kazakhstan, Asia
Alias: Librarian Ghouls
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

The threat is distributed or promoted through targeted spear-phishing campaigns disguised as legitimate business invoices, primarily targeting Russian aerospace and electronics sectors. The phishing email impersonates a Russian research institute associated with aerospace and aviation systems and contains a password-protected attachment that deploys additional payloads on the victim’s system. The malicious campaign aims to establish persistent remote access by silently configuring AnyDesk for unattended access, exfiltrating AnyDesk configuration data to an attacker-controlled email account, and implementing persistence mechanisms to retain long-term control of the compromised host. The threat actor employs living-off-the-land (LotL) techniques by abusing legitimate software to blend into normal system activity.

Initial access is typically achieved through invoice- or document-themed spear-phishing emails containing password-protected archives, which deploy self-extracting installers and command scripts. Subsequent stages leverage trusted utilities such as AnyDesk, Blat, and WinRAR, while additional utilities like Tray Minimizer are used to reduce user visibility. The attack uses an aerospace-themed lure and observed tooling closely aligns with previously documented campaigns attributed to Rare Werewolf (also known as Librarian Ghouls), a threat actor known to target organizations in Russia, Belarus, and Kazakhstan. The campaign is designed to establish and maintain covert remote access to the victim environment, exfiltrate AnyDesk deployment and configuration data, and conceal its presence on the compromised system.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

The threat is distributed or promoted through targeted spear-phishing campaigns disguised as legitimate business invoices, primarily targeting Russian aerospace and electronics sectors. The phishing email impersonates a Russian research institute associated with aerospace and aviation systems and contains a password-protected attachment that deploys additional payloads on the victim’s system. The malicious campaign aims to establish persistent remote access by silently configuring AnyDesk for unattended access, exfiltrating AnyDesk configuration data to an attacker-controlled email account, and implementing persistence mechanisms to retain long-term control of the compromised host. The threat actor employs living-off-the-land (LotL) techniques by abusing legitimate software to blend into normal system activity.

Initial access is typically achieved through invoice- or document-themed spear-phishing emails containing password-protected archives, which deploy self-extracting installers and command scripts. Subsequent stages leverage trusted utilities such as AnyDesk, Blat, and WinRAR, while additional utilities like Tray Minimizer are used to reduce user visibility. The attack uses an aerospace-themed lure and observed tooling closely aligns with previously documented campaigns attributed to Rare Werewolf (also known as Librarian Ghouls), a threat actor known to target organizations in Russia, Belarus, and Kazakhstan. The campaign is designed to establish and maintain covert remote access to the victim environment, exfiltrate AnyDesk deployment and configuration data, and conceal its presence on the compromised system.[emaillocker id="1283"]

their analysis demonstrates a multi-stage phishing campaign that abuses legitimate software to establish persistent remote access while minimizing its forensic footprint. Rather than relying on custom malware, the operators leverage trusted utilities including AnyDesk, Blat, and Tray Minimizer to achieve persistence, exfiltrate deployment data, conceal remote access activity, and remove execution artifacts. This living-off-the-land approach enables the campaign to blend into legitimate system activity while reducing the likelihood of detection.

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Initial access T1566.001 Phishing Spearphishing Attachment
Execution T1059.001 Command and Scripting Interpreter PowerShell
Execution T1059.003 Command and Scripting Interpreter Windows Command Shell
Execution T1204.002 User Execution Malicious File
Persistence T1053.005 Scheduled Task/Job Scheduled Task
Defence Evasion T1027 Obfuscated Files or Information -
Defence Evasion T1036 Masquerading -
Defence Evasion T1564.003 Hide Artifacts Hidden Window
Collection T1005 Data from Local System -
Collection T1560 Archive Collected Data -
Command and control T1071.001 Application Layer Protocol Web Protocols
Exfiltration T1020 Automated Exfiltration -

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu