• Products & Services
        • Cloud

          • Endpoint Protection
          • Endpoint Detection and Response
          • Mobile Device Management
          • BYOD
          • Extended Detection and Response
          • Zero Trust Network Access
          • Data Privacy
        • On Prem

          • Endpoint Protection
          • Endpoint Detection and Response
          • Data Privacy
        • Platform

          • Malware Analysis Platform
        • Small Business

          • SOHO Total Edition
        • Services

          • Threat Intel
          • Digital Risk Protection Services (DRPS)
          • Ransomware Recovery as a Services (RRaaS)
          • DPDP Compliance
          • Managed Detection and Response
  • Solutions
    • BFSI
    • Education
    • Government
    • Healthcare
    • ITeS
    • Manufacturing
  • Company
    • About Seqrite
    • Leadership
    • Awards & Certifications
    • Newsroom
  • Partners
    • Partner Program
    • Locate Partner
    • Become A Partner
  • Support
  • Resources
    • Blogs
    • Whitepapers
    • Datasheets
    • Case Studies
    • Threat Reports
    • Manuals
    • PoV
    • Understanding Data Privacy
    • DPDP Dialogues
    • Privacy Hour
Seqrite Labs Blog
Contact Sales
  • Products & Services
        • Cloud

          • Endpoint Protection
          • Endpoint Detection and Response
          • Mobile Device Management
          • BYOD
          • Extended Detection and Response
          • Zero Trust Network Access
          • Data Privacy
        • On Prem

          • Endpoint Protection
          • Endpoint Detection and Response
          • Data Privacy
        • Platform

          • Malware Analysis Platform
        • Small Business

          • SOHO Total Edition
        • Services

          • Threat Intel
          • Digital Risk Protection Services (DRPS)
          • Ransomware Recovery as a Services (RRaaS)
          • DPDP Compliance
          • Managed Detection and Response
  • Solutions
    • BFSI
    • Education
    • Government
    • Healthcare
    • ITeS
    • Manufacturing
  • Company
    • About Seqrite
    • Leadership
    • Awards & Certifications
    • Newsroom
  • Partners
    • Partner Program
    • Locate Partner
    • Become A Partner
  • Support
  • Resources
    • Blogs
    • Whitepapers
    • Datasheets
    • Case Studies
    • Threat Reports
    • Manuals
    • PoV
    • Understanding Data Privacy
    • DPDP Dialogues
    • Privacy Hour
Home  /  Technical  /  From Invoice to AnyDesk: Uncovering a Phishing Campaign Targeting  Russian Aerospace Organizations  
07 July 2026

From Invoice to AnyDesk: Uncovering a Phishing Campaign Targeting  Russian Aerospace Organizations  

Written by Seqrite
Seqrite
Technical

Table of Contents 

  • Introduction 
  • Infection Chain 
  • Technical Analysis 
  • Conclusion 
  • Seqrite Coverage 
  • Indicators of Compromise (IOCs) 
  • MITRE ATT&CK Mapping 

 Introduction 

The Seqrite Threat Research Team identified a targeted spear-phishing campaign disguised as a legitimate business invoice. The phishing email impersonates a legitimate Russian research institute associated with aerospace and aviation systems and is delivered using a spoofed domain designed to mimic the organization. The malicious email contains a password-protected attachment that ultimately deploys additional payloads on the victim’s system. Analysis indicates that the threat actor’s primary objective is to establish persistent remote access by silently configuring AnyDesk for unattended access, exfiltrating AnyDesk configuration data to an attacker-controlled email account and implementing persistence mechanisms to retain long-term control of the compromised host.  

The use of an aerospace-themed lure, combined with the observed tooling and operational tradecraft, closely aligns with previously documented campaigns attributed to Rare Werewolf (also known as Librarian Ghouls), a threat actor known to target organizations in Russia, Belarus, and Kazakhstan, particularly those operating in the industrial enterprises, manufacturing companies, engineering institutions, aerospace and aviation organizations, rocket and space research entities, petrochemical facilities, and other strategically important sectors. Based on the available evidence, we suspect this activity to be linked with Rare Werewolf campaign. 

 Rare Werewolf group predominantly employs living-off-the-land (LotL) techniques by abusing legitimate software to blend into normal system activity. Initial access is typically achieved through invoice- or document-themed spear-phishing emails containing password-protected archives, which deploy self-extracting installers and command scripts. Subsequent stages leverage trusted utilities such as AnyDesk, Blat and WinRAR, while additional utilities such as Tray Minimizer are used to reduce user visibility. Public reporting has also documented the deployment of the XMRig cryptocurrency miner during post-compromise activity. However, our analysis did not observe any cryptojacking activity in this sample. We assess that cryptocurrency mining, if employed, is likely a post-compromise objective that the operators may deploy after establishing persistent remote access to the victim’s environment. 

Infection Chain 

Fig1:  Infection Chain

The above figure illustrates the overall infection chain observed during our analysis, beginning with a phishing email and culminating in the deployment of AnyDesk for persistent remote access. The attack leverages multiple legitimate utilities to establish persistence, exfiltrate data, and conceal its presence on the compromised system. 

 Technical Analysis 

During analysis, we observed that the initial access starts with a spear-phishing email targeting Russian aerospace and electronics sectors. The email impersonates ФБУ “ВНИИР” (Federal Budgetary Institution “VNIIR”) and is sent from sales@vniir-avia.space with the subject “счет на оплату (или договор поставки, если требуется).” (“Invoice for payment (or supply contract, if required)”). vniir-avia.space domain was freshly registered. Threat actors register disposable lookalike domains for campaigns. The real VNIIR institute would use a long-established government domain (.ru /.gov.ru), not a brand-new “.space” domain. Email is sent to “undisclosed-recipients”, The “To” field is hidden, indicating a mass mailing campaign. Legitimate B2B invoices are addressed to a specific person. This email was bulk distributed to many recipients simultaneously. 

To lure recipients into opening the attachment, the email contains a password-protected archive named счет на оплату.rar. The password (dsa9568-4444) was placed in the email body so the victim can open it and so scanners cannot inspect content. It is a common technique used to bypass email security controls and increase the likelihood of user execution. The message also displays the logo of the Russian Ministry of Industry and Trade to enhance legitimacy. 

Fig 2: Phishing email with password-protected archive

 

Fig 3: Password of the attachment in the mail

The extracted executable was compiled using Delphi and programming language used is Pascal. One of the most interesting findings is Installer: Smart Install Maker (5.04), this tells us the executable is not just an application; it is an installer package built with Smart Install Maker meaning during execution it may drop multiple files, create folders, execute embedded executables, write registry keys, create services, run commands.  

 

Fig 4: DiE snap details

Upon execution, the dropper opens a decoy pdf and writes multiple files under C:\temp\ChromioumTemp* folder. 

Fig 5: Decoy pdf file

 

It executes a set of commands as shown below: 

Fig 6: Dropper activities

One interesting finding is the way it writes files on the system. Attackers make use of “echo>>” to create new temporary file named “mat-debug-*.txt”. Then it adds commands to it and finally rename it with the “.cmd” file as shown in the image below.

Fig 7: Temporary txt file creation

 

Fig 8: Dropped files

 

We see a few files with extensions cmd – which are nothing but batch commands that are supposed to get executed one by one. 

Fig 9: Connecting to C2 to download the malicious rar file

 “xml_file.cmd” is trying to connect to the the C2 to download the malicious rar file. After that, rar file is extracted with the password mentioned in “xml_file1.cmd” – shown below (using driver.exe- which is a command-line archiver).  

Fig 10: Cmd file extracting the malicious rar file in the next step

 Rar file then extracts multiple components, including a portable AnyDesk instance, the Blat SMTP utility (blat.exe), Tray Minimizer, and a batch script (wctF522.bat).  

Fig 11: Contents of the malicious rar file

 

Fig 12: Contents of the tray folder

 The tray utility is also run along with the other executions 

Fig 13: Cmd command executing the tray utility

 

 

While exploring the Trays folder, we observe it contains multiple executables, DLLs, documentation, and supporting files associated with the legitimate 4t Tray Minimizer application. The directory includes the primary executable (Trays.exe), supporting libraries (Tray.dll, ShellEh6055.dll, ShellEh6055x64.dll), installer/uninstaller components, and various application resources, indicating that the complete application was bundled within the archive rather than a standalone executable. 

The cmd file also runs the batch file as shown below

Fig 14

The execution of the batch script (wctF522.bat) revealed that it: 

  1. First introduces an execution delay of approximately one minute using ping -n 60 127.0.0.1, likely to ensure that extraction completes and potentially evade automated sandbox environments. 
  1. Configures unattended AnyDesk access by supplying a predefined password QWERTY1234566 to the AnyDesk command-line interface using the –set-password option. It extracts and deploys the portable AnyDesk package under %ProgramData%\AnyDesk, allowing remote connections without requiring user interaction. And it also launches the deployed AnyDesk executable after extraction. 
  1. Creates archive AnyDesk.rar with password limpid2903392 containing configuration files, client identifiers, connection settings, logs, and certificates. 
  1. The archive is subsequently exfiltrated via SMTP using Blat. 
  1. Creates a scheduled task named “Auto apdate” that executes Trays.exe -tray at user logon with the Highest run level, establishing persistence. 
  1. Deletes temporary command (.cmd), text (.txt), archive (.rar), executable (.exe), and PDF (*.pdf) files from the temporary working directory to remove artifacts and hinder forensic analysis. 
Fig 15: The malicious batch file

 Blat.exe is a legitimate command-line SMTP client commonly abused by threat actors for data exfiltration. While Blat supports sending emails, SMTP authentication, file attachments, and command-line automation, our analysis indicates that it is used exclusively to exfiltrate the archived AnyDesk data to attacker-controlled infrastructure. 

Fig16: Blat.exe file

 

Wireshark network capture image shows that the archive (AnyDesk.rar) is subsequently exfiltrated via SMTP using Blat, leveraging the server mail.versio.nl to send from out@okbm-bus.nl to in@okbm-bus.nl, with the email subject formatted as AnyDesk %COMPUTERNAME%/%USERNAME% to uniquely identify the compromised host. 

 

Fig 17: Exfiltrating archived anydesk data

  

Fig 18: Extracted rar file Data

 These are the contents of AnyDesk’s service.conf and system.conf files, which store AnyDesk’s local configuration on an infected host. The observed activities indicate that the campaign is designed to establish and maintain covert remote access to the victim environment. The exfiltration of the password-protected AnyDesk.rar archive, containing AnyDesk deployment and configuration data, likely provides the operators with the information required to manage the deployed remote access instance. Together with unattended access configuration, scheduled task persistence, and the concealment of the AnyDesk interface, these actions enable the attacker to retain long-term access to compromised systems and reconnect as operational objectives require. 

Finally, the script deletes temporary archives, executables, and PDF files from the staging directory, reducing forensic artifacts and hindering post-compromise investigation. 

 Conclusion 

Our analysis demonstrates a multi-stage phishing campaign that abuses legitimate software to establish persistent remote access while minimizing its forensic footprint. Rather than relying on sophisticated custom malware, the operators leverage trusted utilities including AnyDesk, Blat, a modified WinRAR executable (driver.exe), and Tray Minimizer to achieve persistence, exfiltrate deployment data, conceal remote access activity, and remove execution artifacts. This living-off-the-land approach enables the campaign to blend into legitimate system activity while reducing the likelihood of detection. 

Although definitive attribution cannot be made based solely on the available artifacts, the observed tradecraft closely aligns with publicly documented Rare Werewolf (Librarian Ghouls) campaigns. The infection chain, tooling, targeting, and operational methodology exhibit significant overlap with previously reported activity, including campaigns documented during 2025. 

In addition to the analyzed sample, we observed multiple related samples exhibiting the same operational workflow over the past several months. While the phishing lures, filenames, and payload hashes varied, the consistent use of the same utilities and execution methodology suggests an ongoing campaign in which the threat actor refreshes individual artifacts while retaining its underlying tradecraft. This consistency reinforces our assessment that the activity is likely part of a broader and continuing operation rather than an isolated incident. 

 Seqrite Coverage: 

  • Trojan.Anydesk.S39566972 
  • Script.Trojan.Dropper.50878.GC 
  • Script.Trojan.Dropper.50879 

 Seqrite XDR Protection: 

  • Multi-Stage Payload Download and Execution via Curl and Command Shell 
  • Remote Access Tool Staging and SMTP Data Exfiltration 

 

Indicators of Compromise (IOCs) 

  • 47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4 
  • 12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33 
  • F57e010541fb4ccbf23aefc4a827f753a6ff3f8792d9c04c3eea83f6963c6bae 
  • 0dc0fa727f900ed5033f46f8ba6cf2d97d20ab95fd334cabc0f216da6e0622b0 
  • 198.54.120[.]13  
  • 194.87.57[.]81  
  • 2.23.88[.]201 
  • 109.106.178.14 
  • aviatronika[.]online 
  • vniir-avia[.]space 
  • fgub-vniir[.]space 
  • vniir-info[.]space 
  • nova-stream[.]site 

 

 

 

 

MITRE ATT&CK Mapping 

 

Tactic  Technique Name  Technique ID 
Initial Access  Phishing: Spearphishing Attachment  T1566.001 
Execution  User Execution: Malicious File  T1204.002 
Execution  Command and Scripting Interpreter: Windows Command Shell  T1059.003 
Execution  Command and Scripting Interpreter: PowerShell  T1059.001 
Persistence  Scheduled Task/Job: Scheduled Task  T1053.005 
Persistence  Boot or Logon Autostart Execution (via scheduled task on logon)  T1547  
Defense Evasion  Masquerading  T1036 
Defense Evasion  Obfuscated Files or Information (Password-protected archives)  T1027 
Defense Evasion  Hide Artifacts: Hidden Window (Tray Minimizer concealing AnyDesk)  T1564.003 
Defense Evasion  Indicator Removal on Host: File Deletion  T1070.004 
Command and Control  Application Layer Protocol: Web Protocols (curl download from C2)  T1071.001 
Command and Control  Remote Access Software  T1219 
Collection  Archive Collected Data  T1560 
Collection  Data from Local System (AnyDesk configuration files collected)  T1005 
Exfiltration  Exfiltration Over Alternative Protocol: Exfiltration Over Email  T1020 

Authors:

Anjali Raut

Shrutirupa Banerjiee 

 Previous PostOperation DragonReturn: China-Nexus Cyber Espionage Campaign Targ...
Seqrite

About Seqrite

Seqrite is a leading enterprise cybersecurity solutions provider. With a focus on simplifying cybersecurity, Seqrite delivers comprehensive solutions and services...

Articles by Seqrite »

Related Posts

  • Operation DragonReturn: China-Nexus Cyber Espionage Campaign Targeting Govt. of India/MoF Tax Infrastructure via Multi-Stage DcRAT Deployment

    June 26, 2026
  • Threat Actors Weaponizing RAR Archives to Target Thailand’s Healthcare Sector

    June 19, 2026
  • Operation Dragon Weave : Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2

    May 29, 2026
Featured Authors
  • Seqrite
    Seqrite

    Seqrite is a leading enterprise cybersecurity solutions provider. With a focus...

    Read more articles by Seqrite
  • Jyoti Karlekar
    Jyoti Karlekar

    I'm an avid writer who enjoys crafting content about emerging technologies and...

    Read more articles by Jyoti Karlekar
  • Bineesh P
    Bineesh P

    I am a passionate cybersecurity enthusiast and a dedicated writer. With a knack...

    Read more articles by Bineesh P
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director of Quick Heal Technologies...

    Read more articles by Sanjay Katkar
Topics
apt (25) Cyber-attack (36) cyber-attacks (58) cyberattack (16) cyberattacks (15) Cybersecurity (340) cyber security (34) Cyber threat (33) cyber threats (51) data breach (56) data breaches (29) data loss (28) data loss prevention (34) data privacy (16) data protection (34) data security (19) DLP (50) DPDP (14) DPDPA (17) Encryption (16) endpoint security (112) Enterprise security (19) Exploit (13) GDPR (14) malware (76) malware analysis (14) malware attack (23) MDM (27) Microsoft (15) MITRE ATT&CK (13) Network security (26) phishing (30) Ransomware (69) ransomware attack (31) ransomware attacks (31) ransomware protection (16) Seqrite (41) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) threat detection (13) Threat Intelligence (19) UTM (34) Vulnerability (16) zero trust (13)
Seqrite Labs

Leading enterprise IT security solutions provider simplifying endpoint, data, and network security with best-in-class threat prevention, detection, and response solutions worldwide.

Read More About Seqrite

Follow us:

Subscribe To Our Newsletter

Stay informed about the latest cybersecurity trends and insights.

Loading
Products & Services
  • Cloud
  • Endpoint Protection
  • Endpoint Detection and Response
  • Mobile Device Management
  • BYOD
  • Extended Detection and Response
  • Zero Trust Network Access
  • Data Privacy
  • On Prem
  • Endpoint Protection
  • Endpoint Detection and Response
  • Data Privacy
  • Platform
  • Malware Analysis Platform
  • Micro Business
  • SOHO Total Edition
  • Services
  • Threat Intel
  • Digital Risk Protection Services (DRPS)
  • Ransomware Recovery as a Services (RRaaS)
  • DPDP Compliance
  • Managed Detection and Response
Resources
  • Blogs
  • Whitepapers
  • Datasheets
  • Threat Reports
  • Manuals
  • PoV
  • Understanding Data Privacy
  • DPDP Dialogues
  • Policy & Compliance
  • EULA
  • GoDeep.AI
  • SIA
Contact Us
  • Registered Offices
  • Nearest Offices
  • Let’s Talk Cybersecurity
Support
  • Technical Support
  • Download Software
  • Offline Updater
  • Firmware Upgrades
  • Upgrades
  • Product Documentation
About Us
  • About Seqrite
  • Leadership
  • Awards & Recognition
  • Newsroom
Partner
  • Partner Program
  • Locate Partner
  • Become A Partner
  • Seqrite Certification

© 2026 Quick Heal Technologies Ltd.

Sitemap Privacy Policies Legal Notices Cookie Policies Terms Of Use