A targeted spear-phishing campaign that configures AnyDesk for silent, persistent remote access and exfiltrates its configuration using the Blat SMTP utility.
The campaign uses an aerospace-themed invoice lure that impersonates the Russian research institute VNIIR via a freshly registered spoof domain (vniir-avia.space) and delivers a password-protected archive that, when opened, triggers a multi-stage dropper and post-exploitation chain.
Analysis shows the operators aim to establish long-term covert access by deploying a portable AnyDesk instance, setting an unattended-access password, archiving AnyDesk configuration and credential artifacts, and transmitting that archive to attacker-controlled email infrastructure.
The initial message, sent from [email protected] with the subject “счет на оплату,” contains a RAR archive protected by a password included in the email body a deliberate anti-scan technique to bypass email defenses.
The dropper runs a decoy PDF and creates a series of .cmd files via echo redirection, then contacts a command-and-control endpoint to download a malicious RAR that contains a portable AnyDesk, Blat (blat.exe), Tray Minimizer, and supporting scripts.
Post-extraction, the operator-controlled batch script delays execution briefly (using a ping-based sleep), configures AnyDesk for unattended access by invoking its CLI to set a predefined password, deploys the portable AnyDesk under %ProgramData%AnyDesk, and launches it.
The Seqrite Threat Research Team identified a targeted spear-phishing campaign disguised as a legitimate business invoice.The phishing email impersonates a legitimate Russian research institute associated with aerospace and aviation systems.

The script then packages AnyDesk’s service.conf, system.conf, client identifiers, logs and certificates into a password-protected AnyDesk.rar and uses Blat to exfiltrate the archive.
SMTP in Aerospace Phishing Campaign
Network captures reveal SMTP exfiltration via mail.versio.nl from [email protected] to [email protected], with subjects structured as AnyDesk %COMPUTERNAME%/%USERNAME% to uniquely identify victims.
The extracted executable, compiled in Delphi and packaged with Smart Install Maker, drops multiple components under a temporary folder and executes batch scripts that orchestrate retrieval, extraction, and execution of additional payloads.
For persistence, the campaign registers a scheduled task named “Auto apdate” that runs Trays.exe -tray at logon with elevated privileges while removing temporary artifacts to hinder forensic analysis.
Tactics observed align with living-off-the-land (LotL) tradecraft: abusing legitimate utilities (AnyDesk, Blat, WinRAR/driver.exe, and 4t Tray Minimizer) to blend activity into normal system operations and reduce detection.
The attackers bundle full legitimate applications in the archive rather than delivering bespoke binaries, enabling remote access and concealment while minimizing development overhead.

Public reporting links this pattern aerospace-themed lures, invoice-based spear-phishing, password-protected archives, and use of AnyDesk/Blat to the Rare Werewolf (aka Librarian Ghouls) cluster, which has previously targeted industrial, aerospace, engineering, and energy sectors across Russia, Belarus, and Kazakhstan.
While attribution cannot be definitive from these artifacts alone, the operational overlap with Rare Werewolf campaigns documented in 2025 is substantial.
Defensive guidance centers on blocking and detection of the abused tooling and campaign patterns: enforce strict inspection of password-protected attachments.
Monitor for unauthorized AnyDesk installations and configuration file creation under ProgramData, and alert on use of Blat or outbound SMTP sessions to uncommon mail relays from endpoints.
Implement application allowlisting for AnyDesk and Tray Minimizer, require multi-factor authentication and conditional access for remote tools, and tighten email domain validation and DMARC enforcement to reduce spoofed domain success.
Endpoint telemetry and scheduled-task monitoring will help detect the “Auto apdate” persistence artifact.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| Hash | 47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4 |
| Hash | 12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33 |
| Hash | F57e010541fb4ccbf23aefc4a827f753a6ff3f8792d9c04c3eea83f6963c6bae |
| Hash | 0dc0fa727f900ed5033f46f8ba6cf2d97d20ab95fd334cabc0f216da6e0622b0 |
| IP | 198.54.120[.]13 |
| IP | 194.87.57[.]81 |
| IP | 2.23.88[.]201 |
| IP | 109.106.178.14 |
| Domain | aviatronika[.]online |
| Domain | vniir-avia[.]space |
| Domain | fgub-vniir[.]space |
| Domain | vniir-info[.]space |
| Domain | nova-stream[.]site |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.

