logo

From Invoice to AnyDesk: Uncovering a Phishing Campaign Targeting  Russian Aerospace Organizations  

ID: f5dc1e44-fd50-5282-8f91-ad7f6c4fcd35

STIX ID: report--f5dc1e44-fd50-5282-8f91-ad7f6c4fcd35

Feed Name: Seqrite Blog

Threat Score
82/100

Date Published: 2026-07-07

Date Updated: 2026-07-07

Author: Seqrite

...
...

This report analyzes a targeted spear-phishing campaign that impersonates a Russian research institute to deliver a password-protected archive which, when executed, drops a Delphi-compiled installer that extracts and deploys portable AnyDesk, Blat (SMTP utility), Tray Minimizer and other components to configure unattended remote access, exfiltrate AnyDesk configuration via SMTP, and create scheduled-task persistence; the activity is attributed with moderate confidence to the Rare Werewolf (Librarian Ghouls) cluster and includes IOCs and MITRE ATT&CK mappings.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.