From Invoice to AnyDesk: Uncovering a Phishing Campaign Targeting Russian Aerospace Organizations
ID: f5dc1e44-fd50-5282-8f91-ad7f6c4fcd35
STIX ID: report--f5dc1e44-fd50-5282-8f91-ad7f6c4fcd35
Feed Name: Seqrite Blog
This report analyzes a targeted spear-phishing campaign that impersonates a Russian research institute to deliver a password-protected archive which, when executed, drops a Delphi-compiled installer that extracts and deploys portable AnyDesk, Blat (SMTP utility), Tray Minimizer and other components to configure unattended remote access, exfiltrate AnyDesk configuration via SMTP, and create scheduled-task persistence; the activity is attributed with moderate confidence to the Rare Werewolf (Librarian Ghouls) cluster and includes IOCs and MITRE ATT&CK mappings.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
