Date: 07/10/2026
Severity: High
Summary
Threat Research Team identified a targeted spear-phishing campaign using a fake aerospace-related business invoice delivered via a spoofed domain to deploy malware that silently configures AnyDesk for unattended remote access and persistence. The campaign abuses living-off-the-land (LotL) tools such as AnyDesk, Blat, WinRAR, and Tray Minimizer to maintain long-term access while minimizing user visibility. The observed tactics, targeting, and tradecraft closely align with the Rare Werewolf (Librarian Ghouls) threat actor, although no XMRig cryptomining activity was observed in this sample. A threat actor known to target organizations in Russia, Belarus, and Kazakhstan.
Indicators of Compromise (IOC) List
Domain/URLs | aviatronika.online vniir-avia.space fgub-vniir.space vniir-info.space nova-stream.site |
IP Address | 198.54.120.13 194.87.57.81 2.23.88.201 109.106.178.14 |
Hash | 47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4
12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33
F57e010541fb4ccbf23aefc4a827f753a6ff3f8792d9c04c3eea83f6963c6bae
0dc0fa727f900ed5033f46f8ba6cf2d97d20ab95fd334cabc0f216da6e0622b0
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "nova-stream.site" or url like "nova-stream.site" or siteurl like "nova-stream.site" or domainname like "fgub-vniir.space" or url like "fgub-vniir.space" or siteurl like "fgub-vniir.space" or domainname like "vniir-avia.space" or url like "vniir-avia.space" or siteurl like "vniir-avia.space" or domainname like "vniir-info.space" or url like "vniir-info.space" or siteurl like "vniir-info.space" or domainname like "aviatronika.online" or url like "aviatronika.online" or siteurl like "aviatronika.online" |
Detection Query 2 : | dstipaddress IN ("194.87.57.81","198.54.120.13","2.23.88.201","109.106.178.14") or srcipaddress IN ("194.87.57.81","198.54.120.13","2.23.88.201","109.106.178.14") |
Detection Query 3 : | sha256hash IN ("F57e010541fb4ccbf23aefc4a827f753a6ff3f8792d9c04c3eea83f6963c6bae","0dc0fa727f900ed5033f46f8ba6cf2d97d20ab95fd334cabc0f216da6e0622b0","47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4","12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33")
|
Reference:
https://www.seqrite.com/blog/from-invoice-to-anydesk-uncovering-a-phishing-campaign-targeting-russian-aerospace-organizations/