New Phishing Campaign Uses AnyDesk to Secretly Gain Hidden Remote Access
A new AnyDesk phishing attack uses fake invoice emails to install hidden remote access, enabling cyber espionage, data theft, and long-term system access. Cybersecurity experts urge organizations to strengthen phishing protection and email security.
A new phishing attack has been discovered that uses the popular remote access software AnyDesk to secretly take control of computers. According to cybersecurity researchers at Seqrite, the attack mainly targets aerospace and aviation organizations. Instead of using traditional malware, attackers rely on trusted software, making the attack much harder to detect.
The AnyDesk phishing attack begins with a fake invoice email. The email looks to be from a trustworthy organization and includes a password-protected file. The password is contained in the email, allowing victims to access the attachment but preventing most email security systems from inspecting its contents.
When the file is opened, it secretly installs several programs in the background while displaying a false PDF invoice to escape suspicion. The hidden files then download an additional password-protected package from a remote server. This package includes a portable version of AnyDesk, as well as additional small tools for hiding the attack from the victim.
The attackers generated a preset password for AnyDesk, allowing them to login to the infected machine without permission. They also utilize a small application to disguise the AnyDesk window, making it difficult for users to discover when remote access is enabled.
To ensure that they never lose access, the attackers build a scheduled process that runs AnyDesk whenever the machine is turned on. They then capture the software's settings and send them to an attacker-controlled email address, enabling for future remote access as needed.
After finishing the setup, the attackers delete the installation files, logs, scripts, and even the fake invoice. This eliminates the majority of the evidence that security professionals would typically use to investigate the attack. Because AnyDesk is a legitimate remote access tool, many standard antivirus products may not detect it as malicious.
Researchers believe the campaign is linked to a cyber espionage group which has previously targeted industrial, engineering, and aerospace organizations. Although this effort is primarily aimed at spying, similar attacks have been related to cryptocurrency mining and data theft.
Cybersecurity experts recommend that organizations carefully check unexpected invoice emails, especially those received from newly created or unfamiliar domains. Businesses should also monitor for unknown scheduled tasks, unexpected AnyDesk installations, and unusual remote access activity. Restricting outgoing email connections and using behavior-based security tools instead of relying only on antivirus software can help detect these advanced phishing attacks before they cause serious damage.
As phishing attacks continue to become more advanced, users and organizations should stay alert. Even trusted software like AnyDesk can become a security risk when it is misused by attackers.
This article is based on information from Cyber Security News