AnyDesk

AnyDesk is a legitimate remote desktop and remote monitoring/management application that is frequently abused by threat actors as a dual-use tool rather than malware developed by the actors themselves. Across the provided reporting, it is repeatedly described as being installed post-compromise to provide direct remote access, persistence, backup access channels, and secondary command-and-control capability. Threat actors have silently installed it as an auto-start service, configured unattended access with hardcoded or attacker-set credentials, renamed the executable to reduce suspicion, and in some cases deleted logs to hinder investigation. It has also been used to facilitate lateral movement, malware deployment, credential theft support activity, and data exfiltration through interactive remote sessions and file transfer features.

Observed infection or deployment vectors in the content include social engineering and phishing that persuade victims to install or approve AnyDesk, abuse of unattended-access passwords, post-exploitation deployment after compromise via other malware or valid accounts, and delivery by downloaders or modular malware. Specific examples in the content include InvisibleFerret, a Python-based infostealer/backdoor used in the North Korea-aligned DeceptiveDevelopment campaign, which can download and configure AnyDesk for persistence and remote access; MuddyWater’s HTTP_VIP downloader in Operation Olalampo, which authenticates to attacker infrastructure and deploys AnyDesk; and multiple ransomware and intrusion cases where actors installed AnyDesk after gaining access through VPN abuse, RDP, exploited public-facing applications, or other footholds.

The content associates AnyDesk abuse with multiple threat actors and intrusion sets, including Akira affiliates, Trigona affiliates, MuddyWater/Seedworm, Peach Sandstorm, North Korea-aligned DeceptiveDevelopment operators, and ransomware or extortion activity involving Black Basta, LockBit, Medusa, Karakurt, RagnarLocker, Sodinokibi/REvil, and Netwalker. It is also referenced as a common payload in telephone-oriented attack delivery campaigns and broader cybercriminal email-delivered RMM abuse.

Targeting described in the content is broad and opportunistic, spanning enterprise environments and sectors including government, manufacturing, technology, education, consulting, pharmaceuticals, telecommunications, satellite, defense, healthcare, construction, and cryptocurrency/DeFi-focused developers. Supported platforms in the reporting include Windows primarily, with campaign context also covering Linux and macOS where upstream malware such as InvisibleFerret and BeaverTail targeted those systems.

High-confidence forensic and network indicators mentioned in the content include typical installation paths such as C:\Program Files (x86)\AnyDesk\ for installed versions and C:\Users\Username\AppData\Roaming\AnyDesk for portable use; artifacts including ad.trace, connection_trace.txt, Service.conf, System.conf, User.conf, Cache, Global_cache, Thumbnails, Chat, and Gcapi.dll; default screenshot and recording folders under C:\Users\Username\Pictures\AnyDesk and C:\Users\Username\Videos\AnyDesk; and logs that may reveal connection times, source IPs, permissions granted, file transfers, screenshots, privacy mode requests, and user-input blocking. One report also identified AnyDesk listeners on TCP port 7070 using self-signed TLS certificates with subject CN=AnyDesk Client, serial 01, RSA-2048 keys, and 50-year validity. Additional specific IOCs in the content include AnyDesk Client ID 1148037084 in a LockBit-related intrusion and infrastructure IPs 38.57.40.237:7070, 38.57.41.81:7070, 38.57.44.11:7070, and 38.57.44.232:7070 associated with AnyDesk management access on suspected C2 infrastructure.