Researchers at Seqrite have uncovered a targeted spear-phishing campaign aimed at organizations in the Russian aerospace and electronics sectors. The attack uses a fake business invoice that impersonates a legitimate Russian aerospace research institute through a spoofed domain.
The email includes a password-protected archive, with the password provided in the email body, allowing recipients to open the attachment while making it harder for security tools to inspect its contents.
The archive contains an installer built with a legitimate packaging tool. It drops files into a hidden folder and opens a decoy PDF invoice to make the infection appear legitimate. A chain of batch scripts then downloads a second password-protected archive from a remote server containing the main payload.
The downloaded archive includes a portable copy of AnyDesk, the Blat command-line email utility, WinRAR, and the Tray Minimizer tool used to hide application windows. The scripts wait for about one minute before continuing, likely to avoid detection by automated sandbox environments.
The malware then configures AnyDesk for access by applying a predefined password and launching it in the background. After setup, it collects AnyDesk configuration files, connection settings, and certificates, compresses them into a password-protected archive, and sends the archive to an attacker-controlled email address using Blat. This allows the attackers to maintain remote access to the compromised system.
The attack also establishes persistence to ensure AnyDesk remains available after system reboots.
Researchers say that the observed infection chain, as well as phishing lure and the use of legitimate administration tools match tactics previously linked to the Rare Werewolf threat group, also known as Librarian Ghouls. The group has historically targeted organizations in Russia, Belarus, and Kazakhstan, focusing on aerospace, engineering, manufacturing, petrochemical, and other strategic industries.
The group’s past campaigns also involved the XMRig cryptocurrency miner deployed after initial compromise, however, in this case, Seqrite did not see any cryptojacking activity. Researchers believe the operators' main goal is to establish persistent remote access, with cryptocurrency mining potentially deployed at a later stage.