From Invoice to AnyDesk: Uncovering a Phishing Campaign Targeting Russian Aerospace Organizations

    Date: 07/10/2026

    Severity: High

    Summary

    Threat Research Team identified a targeted spear-phishing campaign using a fake aerospace-related business invoice delivered via a spoofed domain to deploy malware that silently configures AnyDesk for unattended remote access and persistence. The campaign abuses living-off-the-land (LotL) tools such as AnyDesk, Blat, WinRAR, and Tray Minimizer to maintain long-term access while minimizing user visibility. The observed tactics, targeting, and tradecraft closely align with the Rare Werewolf (Librarian Ghouls) threat actor, although no XMRig cryptomining activity was observed in this sample. A threat actor known to target organizations in Russia, Belarus, and Kazakhstan. 

    Indicators of Compromise (IOC) List

    Domain/URLs

    aviatronika.online 

    vniir-avia.space 

    fgub-vniir.space 

    vniir-info.space 

    nova-stream.site

    IP Address

    198.54.120.13  

    194.87.57.81  

    2.23.88.201 

    109.106.178.14 

    Hash

    47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4 

    12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33 

    F57e010541fb4ccbf23aefc4a827f753a6ff3f8792d9c04c3eea83f6963c6bae 

    0dc0fa727f900ed5033f46f8ba6cf2d97d20ab95fd334cabc0f216da6e0622b0

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "nova-stream.site" or url like "nova-stream.site" or siteurl like "nova-stream.site" or domainname like "fgub-vniir.space" or url like "fgub-vniir.space" or siteurl like "fgub-vniir.space" or domainname like "vniir-avia.space" or url like "vniir-avia.space" or siteurl like "vniir-avia.space" or domainname like "vniir-info.space" or url like "vniir-info.space" or siteurl like "vniir-info.space" or domainname like "aviatronika.online" or url like "aviatronika.online" or siteurl like "aviatronika.online"

    Detection Query 2 :

    dstipaddress IN ("194.87.57.81","198.54.120.13","2.23.88.201","109.106.178.14") or srcipaddress IN ("194.87.57.81","198.54.120.13","2.23.88.201","109.106.178.14")

    Detection Query 3 :

    sha256hash IN ("F57e010541fb4ccbf23aefc4a827f753a6ff3f8792d9c04c3eea83f6963c6bae","0dc0fa727f900ed5033f46f8ba6cf2d97d20ab95fd334cabc0f216da6e0622b0","47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4","12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33")

    Reference:  

    https://www.seqrite.com/blog/from-invoice-to-anydesk-uncovering-a-phishing-campaign-targeting-russian-aerospace-organizations/ 


    Tags

    MalwareThreat ActorSpear Phishingliving off the land (LOTL)RussiaRATCryptominingBelarusKazakhstanTransportation Systems

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags