Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

From Invoice to AnyDesk: Uncovering a Phishing Campaign Targeting Russian Aerospace Organizations

0
Medium
Published: 07/09/2026 (07/09/2026, 11:27:09 UTC)
Source: AlienVault OTX General

Description

A spear-phishing campaign attributed to the Rare Werewolf group targets Russian aerospace and aviation organizations. The attack uses fraudulent emails impersonating a Russian aerospace research institute, delivering password-protected archives with malicious installers. It abuses legitimate tools such as AnyDesk, Blat, WinRAR, and Tray Minimizer to establish persistent remote access. The campaign configures portable AnyDesk for unattended access with a predefined password, exfiltrates configuration data via SMTP, and maintains persistence through scheduled tasks. The operators conceal their presence by minimizing the AnyDesk interface and removing forensic artifacts. This campaign aligns with previous Rare Werewolf activity targeting strategic sectors in Russia, Belarus, and Kazakhstan.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/09/2026, 13:17:40 UTC

Technical Analysis

This campaign involves sophisticated spear-phishing targeting Russian aerospace and aviation sectors, likely conducted by the Rare Werewolf threat group. Initial infection vectors are fraudulent emails impersonating a legitimate aerospace research institute, containing password-protected archives with malicious installers. The attackers leverage living-off-the-land techniques by abusing legitimate software tools including AnyDesk (configured for unattended remote access), Blat (SMTP client), WinRAR, and Tray Minimizer to establish and maintain persistence. Data exfiltration is performed via SMTP to attacker-controlled infrastructure. Persistence mechanisms include scheduled tasks. The threat actors minimize the AnyDesk interface and remove forensic artifacts to evade detection. The campaign methodology is consistent with previously documented Rare Werewolf operations against strategically important sectors in Russia and neighboring countries.

Potential Impact

Successful compromise enables attackers to gain persistent remote access to targeted aerospace organizations, potentially allowing unauthorized data exfiltration and covert monitoring. The use of legitimate tools and living-off-the-land techniques complicates detection and forensic analysis. The campaign specifically targets sensitive aerospace and aviation sectors, which may have national security implications for Russia and related regions.

Mitigation Recommendations

No official patch or fix is applicable as this is a threat campaign rather than a software vulnerability. Organizations should implement targeted defenses against spear-phishing, including user awareness training to recognize fraudulent emails and password-protected attachments. Monitoring for unauthorized use of remote access tools like AnyDesk and suspicious scheduled tasks is recommended. Incident response should focus on identifying and removing malicious persistence mechanisms and blocking exfiltration channels such as unauthorized SMTP traffic. Since the campaign uses living-off-the-land techniques, endpoint detection and response solutions tuned to detect anomalous legitimate tool usage can help mitigate impact.

Affected Countries

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.seqrite.com/blog/from-invoice-to-anydesk-uncovering-a-phishing-campaign-targeting-russian-aerospace-organizations/"]
Adversary
Rare Werewolf
Pulse Id
6a4f858d17f60f10d1e16c2c
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip194.87.57.81
ip109.106.178.14
ip198.54.120.13

Hash

ValueDescriptionCopy
hash0dc0fa727f900ed5033f46f8ba6cf2d97d20ab95fd334cabc0f216da6e0622b0
hash144a0a499e007931628c98f38929466f
hashc7eccd855d2e97b57420afd23a4b9261f42f5b84
hash12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33
hash47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4
hashf57e010541fb4ccbf23aefc4a827f753a6ff3f8792d9c04c3eea83f6963c6bae
hash6cc3c68c56e099792fdeadde76256d56
hash7884be8a701f31421717c0835add92d5
hasheabd440c996846d0992e37ab01d01208
hash5d9d91cf9da3b37d8eee87d5d4dd38dbfec28358
hash7d415612a00d99617bd89670e1570c145863ad08
hashee577f1880397a00480b210fcd6bc84d2330a19e

Domain

ValueDescriptionCopy
domainvniir-info.space
domainvniir-avia.space

Threat ID: 6a4f9c6568715ace4365dcef

Added to database: 07/09/2026, 13:04:37 UTC

Last enriched: 07/09/2026, 13:17:40 UTC

Last updated: 07/09/2026, 23:39:44 UTC

Views: 12

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses