Heads up, AnyDesk users! A huge phishing campaign involving over 1300 domains delivers Vidar info stealer by mimicking AnyDesk. Users should always ensure downloading AnyDesk, or any other software, from the official, legit websites to avoid such threats.
AnyDesk Phishing Campaign Pushes Vidar Info Stealer
The security researcher and threat analyst at SEKOIA.IO, having alias crep1x on Twitter, has recently shared details about an ongoing phishing campaign exploiting AnyDesk.
As described, the attackers behind this campaign have set up over 1300 domains that redirect users to a fake website mimicking AnyDesk’s site’s layout to trick users. In this way, the threat actors aim at delivering the Vidar info stealer to the potential victims.
Vidar is a potent data-stealing trojan that made it to the news in 2018. It usually reaches the target devices via malvertising and sneakily establishes itself on the device to steal sensitive information, mainly saved passwords.
To date, Vidar has been involved in numerous spam and phishing campaigns, targeting victims worldwide.
According to crep1x, he recently spotted over 1300 domains delivering Vidar by posing as fake AnyDesk installers. The attackers have stored the malware on a Dropbox link to which all domains redirect users. Also, all domains resolve to the same IP address.
To avoid suspicion, the attackers have also used typosquatted names for other popular software like Slack, TeamViewer, and VideoLAN. But all the domains link back to the same webpage that impersonates AnyDesk.
According to the responses shared on the researcher’s Twitter thread, some malicious domains are hosted on NameCheap. When alerted, NameCheap responded to “take care of it,” whereas the other domains hosted on DigitalOcean are yet to be removed.
This isn’t the first phishing campaign exploiting AnyDesk. In October 2022, Cybel researchers also reported a malicious campaign using AnyDesk phishing sites to spread Mitsu malware.
Let us know your thoughts in the comments.