GBHackers

Attackers Exfiltrate AnyDesk Configuration Data via Blat SMTP in Aerospace Phishing Campaign


A targeted spear-phishing campaign that configures AnyDesk for silent, persistent remote access and exfiltrates its configuration using the Blat SMTP utility.

The campaign uses an aerospace-themed invoice lure that impersonates the Russian research institute VNIIR via a freshly registered spoof domain (vniir-avia.space) and delivers a password-protected archive that, when opened, triggers a multi-stage dropper and post-exploitation chain.

Analysis shows the operators aim to establish long-term covert access by deploying a portable AnyDesk instance, setting an unattended-access password, archiving AnyDesk configuration and credential artifacts, and transmitting that archive to attacker-controlled email infrastructure.

The initial message, sent from [email protected] with the subject “счет на оплату,” contains a RAR archive protected by a password included in the email body a deliberate anti-scan technique to bypass email defenses.

The dropper runs a decoy PDF and creates a series of .cmd files via echo redirection, then contacts a command-and-control endpoint to download a malicious RAR that contains a portable AnyDesk, Blat (blat.exe), Tray Minimizer, and supporting scripts.

Post-extraction, the operator-controlled batch script delays execution briefly (using a ping-based sleep), configures AnyDesk for unattended access by invoking its CLI to set a predefined password, deploys the portable AnyDesk under %ProgramData%AnyDesk, and launches it.

The Seqrite Threat Research Team identified a targeted spear-phishing campaign disguised as a legitimate business invoice.The phishing email impersonates a legitimate Russian research institute associated with aerospace and aviation systems.


Infection Chain (Source : Seqrite).
Infection Chain (Source : Seqrite).

The script then packages AnyDesk’s service.conf, system.conf, client identifiers, logs and certificates into a password-protected AnyDesk.rar and uses Blat to exfiltrate the archive.

SMTP in Aerospace Phishing Campaign

Network captures reveal SMTP exfiltration via mail.versio.nl from [email protected] to [email protected], with subjects structured as AnyDesk %COMPUTERNAME%/%USERNAME% to uniquely identify victims.

The extracted executable, compiled in Delphi and packaged with Smart Install Maker, drops multiple components under a temporary folder and executes batch scripts that orchestrate retrieval, extraction, and execution of additional payloads.

DiE snap details (Source : Seqrite).

For persistence, the campaign registers a scheduled task named “Auto apdate” that runs Trays.exe -tray at logon with elevated privileges while removing temporary artifacts to hinder forensic analysis.

Tactics observed align with living-off-the-land (LotL) tradecraft: abusing legitimate utilities (AnyDesk, Blat, WinRAR/driver.exe, and 4t Tray Minimizer) to blend activity into normal system operations and reduce detection.

The attackers bundle full legitimate applications in the archive rather than delivering bespoke binaries, enabling remote access and concealment while minimizing development overhead.


The malicious batch file (Source : Seqrite).
The malicious batch file (Source : Seqrite).

Public reporting links this pattern aerospace-themed lures, invoice-based spear-phishing, password-protected archives, and use of AnyDesk/Blat to the Rare Werewolf (aka Librarian Ghouls) cluster, which has previously targeted industrial, aerospace, engineering, and energy sectors across Russia, Belarus, and Kazakhstan.

While attribution cannot be definitive from these artifacts alone, the operational overlap with Rare Werewolf campaigns documented in 2025 is substantial.

Defensive guidance centers on blocking and detection of the abused tooling and campaign patterns: enforce strict inspection of password-protected attachments.

Monitor for unauthorized AnyDesk installations and configuration file creation under ProgramData, and alert on use of Blat or outbound SMTP sessions to uncommon mail relays from endpoints.

Implement application allowlisting for AnyDesk and Tray Minimizer, require multi-factor authentication and conditional access for remote tools, and tighten email domain validation and DMARC enforcement to reduce spoofed domain success.

Endpoint telemetry and scheduled-task monitoring will help detect the “Auto apdate” persistence artifact.

Indicators of Compromise (IOCs) 

TypeValue
Hash47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4
Hash12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33
HashF57e010541fb4ccbf23aefc4a827f753a6ff3f8792d9c04c3eea83f6963c6bae
Hash0dc0fa727f900ed5033f46f8ba6cf2d97d20ab95fd334cabc0f216da6e0622b0
IP198.54.120[.]13
IP194.87.57[.]81
IP2.23.88[.]201
IP109.106.178.14
Domainaviatronika[.]online
Domainvniir-avia[.]space
Domainfgub-vniir[.]space
Domainvniir-info[.]space
Domainnova-stream[.]site

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link