At a glance
| Actor / group | Rare Werewolf (aka Librarian Ghouls, Rezet) — suspected |
| Activity | Invoice-themed spear-phishing that installs AnyDesk for remote access |
| Targets | Russian aerospace and industrial organizations |
| Scale | Hundreds of victims across related waves (Kaspersky estimate) |
| Law-enforcement status | No arrests or charges announced |
| Source | Seqrite Threat Research Team; corroborated by Kaspersky |
TL;DR
Seqrite found a phishing campaign that hits Russian aerospace firms. The email poses as an invoice from a real aviation research body. Once opened, it quietly installs AnyDesk for long-term remote access. Researchers suspect the Rare Werewolf group, also tracked as Librarian Ghouls.
What happened
The attack begins with one email. It comes from a spoofed VNIIR address with a Russian invoice subject. The domain copies VNIIR, a real Russian aviation body. However, attackers set up the fake domain only days before. The real body would use an old government address instead.
The message hides its recipient list, which signals bulk mailing. It also shows the logo of Russia’s Ministry of Industry and Trade for cover. A password-protected archive sits attached, and its name matches the fake invoice. The password appears in the email body, so the victim can open it while scanners cannot.
Inside the infection chain

The archive hides a dropper built with Smart Install Maker. When the victim runs it, a decoy invoice PDF opens on screen. Behind that decoy, the dropper writes files to a temp folder. It then calls out to a command server it controls. From there, it pulls a second archive. That bundle holds portable AnyDesk, the Blat mail tool, Tray Minimizer, and a batch script.
How the malware keeps control
The batch script drives the whole operation. First, it waits about a minute to slip past sandbox checks. Next, it sets a fixed AnyDesk password for hands-free access. It then copies AnyDesk into the ProgramData folder and launches it. The operators can now reach the machine without any prompt. Before sending, the script packs the AnyDesk settings into a protected archive. Seqrite says Blat serves only to steal that archived AnyDesk data. Blat then mails the file to an attacker inbox over SMTP. A scheduled task named Auto apdate restarts the tray tool at each logon. Finally, the script wipes its own files to slow down responders.
Who is behind it
The blame is not settled. Seqrite writes that it suspects a link to the Rare Werewolf campaign. The group also answers to Librarian Ghouls and Rezet. It has struck Russia, Belarus, and Kazakhstan since at least 2019. Most victims work in aerospace and heavy industry. According to Seqrite, the group works by abusing legitimate software to blend in. Kaspersky found the same approach in earlier cases. Even so, they avoid a firm verdict, since the clues alone cannot prove it.
Impact and scale
The campaign trades noise for stealth. Instead of custom malware, the operators reuse AnyDesk, Blat, and a renamed WinRAR binary. This choice helps them dodge alerts and hold access for months. Seqrite found no coin mining in this sample. Past Kaspersky reports, though, tie the group to XMRig miners. Kaspersky also saw hundreds of Russian victims in earlier waves. Seqrite spotted several related samples over recent months as well. Filenames and hashes shift, yet the Rare Werewolf workflow stays fixed. That pattern points to an ongoing push, not a single strike.
What comes next and how to stay protected
No arrests or charges have been announced against the operators. The campaign still looks active, so treat AnyDesk abuse as a live risk. Block invoice emails that carry password-protected archives with the password inside. Watch for AnyDesk installs under ProgramData and oddly named scheduled tasks. Also flag Blat activity and outbound mail to unknown SMTP servers. Teach staff to question surprise invoices, above all from brand-new domains. Rare Werewolf refreshes its lures often, so expect fresh invoice themes soon.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.