From Invoice to AnyDesk: Uncovering a Phishing Campaign Targeting Russian Aerospace Organizations
A spear-phishing campaign attributed to the Rare Werewolf group targets Russian aerospace and aviation organizations. The attack uses fraudulent emails impersonating a Russian aerospace research institute, delivering password-protected archives with malicious installers. It abuses legitimate tools such as AnyDesk, Blat, WinRAR, and Tray Minimizer to establish persistent remote access. The campaign configures portable AnyDesk for unattended access with a predefined password, exfiltrates configuration data via SMTP, and maintains persistence through scheduled tasks. The operators conceal their presence by minimizing the AnyDesk interface and removing forensic artifacts. This campaign aligns with previous Rare Werewolf activity targeting strategic sectors in Russia, Belarus, and Kazakhstan.
AI Analysis
Technical Summary
This campaign involves sophisticated spear-phishing targeting Russian aerospace and aviation sectors, likely conducted by the Rare Werewolf threat group. Initial infection vectors are fraudulent emails impersonating a legitimate aerospace research institute, containing password-protected archives with malicious installers. The attackers leverage living-off-the-land techniques by abusing legitimate software tools including AnyDesk (configured for unattended remote access), Blat (SMTP client), WinRAR, and Tray Minimizer to establish and maintain persistence. Data exfiltration is performed via SMTP to attacker-controlled infrastructure. Persistence mechanisms include scheduled tasks. The threat actors minimize the AnyDesk interface and remove forensic artifacts to evade detection. The campaign methodology is consistent with previously documented Rare Werewolf operations against strategically important sectors in Russia and neighboring countries.
Potential Impact
Successful compromise enables attackers to gain persistent remote access to targeted aerospace organizations, potentially allowing unauthorized data exfiltration and covert monitoring. The use of legitimate tools and living-off-the-land techniques complicates detection and forensic analysis. The campaign specifically targets sensitive aerospace and aviation sectors, which may have national security implications for Russia and related regions.
Mitigation Recommendations
No official patch or fix is applicable as this is a threat campaign rather than a software vulnerability. Organizations should implement targeted defenses against spear-phishing, including user awareness training to recognize fraudulent emails and password-protected attachments. Monitoring for unauthorized use of remote access tools like AnyDesk and suspicious scheduled tasks is recommended. Incident response should focus on identifying and removing malicious persistence mechanisms and blocking exfiltration channels such as unauthorized SMTP traffic. Since the campaign uses living-off-the-land techniques, endpoint detection and response solutions tuned to detect anomalous legitimate tool usage can help mitigate impact.
Affected Countries
Russia
Indicators of Compromise
- ip: 194.87.57.81
- hash: 0dc0fa727f900ed5033f46f8ba6cf2d97d20ab95fd334cabc0f216da6e0622b0
- hash: 144a0a499e007931628c98f38929466f
- hash: c7eccd855d2e97b57420afd23a4b9261f42f5b84
- hash: 12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33
- hash: 47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4
- hash: f57e010541fb4ccbf23aefc4a827f753a6ff3f8792d9c04c3eea83f6963c6bae
- ip: 109.106.178.14
- ip: 198.54.120.13
- domain: vniir-info.space
- domain: vniir-avia.space
- hash: 6cc3c68c56e099792fdeadde76256d56
- hash: 7884be8a701f31421717c0835add92d5
- hash: eabd440c996846d0992e37ab01d01208
- hash: 5d9d91cf9da3b37d8eee87d5d4dd38dbfec28358
- hash: 7d415612a00d99617bd89670e1570c145863ad08
- hash: ee577f1880397a00480b210fcd6bc84d2330a19e
From Invoice to AnyDesk: Uncovering a Phishing Campaign Targeting Russian Aerospace Organizations
Description
A spear-phishing campaign attributed to the Rare Werewolf group targets Russian aerospace and aviation organizations. The attack uses fraudulent emails impersonating a Russian aerospace research institute, delivering password-protected archives with malicious installers. It abuses legitimate tools such as AnyDesk, Blat, WinRAR, and Tray Minimizer to establish persistent remote access. The campaign configures portable AnyDesk for unattended access with a predefined password, exfiltrates configuration data via SMTP, and maintains persistence through scheduled tasks. The operators conceal their presence by minimizing the AnyDesk interface and removing forensic artifacts. This campaign aligns with previous Rare Werewolf activity targeting strategic sectors in Russia, Belarus, and Kazakhstan.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign involves sophisticated spear-phishing targeting Russian aerospace and aviation sectors, likely conducted by the Rare Werewolf threat group. Initial infection vectors are fraudulent emails impersonating a legitimate aerospace research institute, containing password-protected archives with malicious installers. The attackers leverage living-off-the-land techniques by abusing legitimate software tools including AnyDesk (configured for unattended remote access), Blat (SMTP client), WinRAR, and Tray Minimizer to establish and maintain persistence. Data exfiltration is performed via SMTP to attacker-controlled infrastructure. Persistence mechanisms include scheduled tasks. The threat actors minimize the AnyDesk interface and remove forensic artifacts to evade detection. The campaign methodology is consistent with previously documented Rare Werewolf operations against strategically important sectors in Russia and neighboring countries.
Potential Impact
Successful compromise enables attackers to gain persistent remote access to targeted aerospace organizations, potentially allowing unauthorized data exfiltration and covert monitoring. The use of legitimate tools and living-off-the-land techniques complicates detection and forensic analysis. The campaign specifically targets sensitive aerospace and aviation sectors, which may have national security implications for Russia and related regions.
Mitigation Recommendations
No official patch or fix is applicable as this is a threat campaign rather than a software vulnerability. Organizations should implement targeted defenses against spear-phishing, including user awareness training to recognize fraudulent emails and password-protected attachments. Monitoring for unauthorized use of remote access tools like AnyDesk and suspicious scheduled tasks is recommended. Incident response should focus on identifying and removing malicious persistence mechanisms and blocking exfiltration channels such as unauthorized SMTP traffic. Since the campaign uses living-off-the-land techniques, endpoint detection and response solutions tuned to detect anomalous legitimate tool usage can help mitigate impact.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.seqrite.com/blog/from-invoice-to-anydesk-uncovering-a-phishing-campaign-targeting-russian-aerospace-organizations/"]
- Adversary
- Rare Werewolf
- Pulse Id
- 6a4f858d17f60f10d1e16c2c
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip194.87.57.81 | — | |
ip109.106.178.14 | — | |
ip198.54.120.13 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash0dc0fa727f900ed5033f46f8ba6cf2d97d20ab95fd334cabc0f216da6e0622b0 | — | |
hash144a0a499e007931628c98f38929466f | — | |
hashc7eccd855d2e97b57420afd23a4b9261f42f5b84 | — | |
hash12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33 | — | |
hash47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4 | — | |
hashf57e010541fb4ccbf23aefc4a827f753a6ff3f8792d9c04c3eea83f6963c6bae | — | |
hash6cc3c68c56e099792fdeadde76256d56 | — | |
hash7884be8a701f31421717c0835add92d5 | — | |
hasheabd440c996846d0992e37ab01d01208 | — | |
hash5d9d91cf9da3b37d8eee87d5d4dd38dbfec28358 | — | |
hash7d415612a00d99617bd89670e1570c145863ad08 | — | |
hashee577f1880397a00480b210fcd6bc84d2330a19e | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainvniir-info.space | — | |
domainvniir-avia.space | — |
Threat ID: 6a4f9c6568715ace4365dcef
Added to database: 07/09/2026, 13:04:37 UTC
Last enriched: 07/09/2026, 13:17:40 UTC
Last updated: 07/09/2026, 23:39:44 UTC
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.