AnyDesk

AnyDesk is a legitimate remote desktop and remote monitoring/management tool that is repeatedly documented in the provided content as being abused by threat actors for direct remote access, persistence, and secondary command-and-control across intrusions. It is described as being installed on compromised Windows systems and servers, including domain controllers and beachhead hosts, often as a backup access channel or auto-start service after initial compromise. Reported use cases include attacker persistence following exploitation of Apache ActiveMQ CVE-2023-46604, deployment by Akira affiliates during ransomware intrusions, use by Trigona operators for direct remote access alongside credential theft tooling, deployment by MuddyWater/Seedworm and Peach Sandstorm in Iranian state-linked operations, and use in broader cybercriminal campaigns where remote management tools are delivered to victims.

The content associates AnyDesk with multiple threat actors and clusters, including Akira affiliates, Trigona affiliates, MuddyWater/Seedworm, Peach Sandstorm/HOLMIUM, and actors involved in TOAD-style social engineering and Cloudflare-tunnel-based malware delivery. In some cases it was deployed through downloaders such as HTTP_VIP, which Group-IB reported as authenticating to codefusiontech[.]org and deploying AnyDesk; Rapid7 also observed MuddyWater-linked operators establishing persistence with AnyDesk after Microsoft Teams social engineering. Microsoft reported Peach Sandstorm deploying AnyDesk in a subset of intrusions to maintain access. In ransomware and network intrusion reporting, AnyDesk was installed on breached systems, domain controllers, and servers to facilitate hands-on-keyboard access.

The content also includes infrastructure-level observations of AnyDesk exposed on TCP port 7070, where stock AnyDesk services on ThinkHuge-hosted Windows VPS infrastructure were initially misclassified as unknown C2 listeners because they require a proper TLS ClientHello and do not respond to raw bytes. Those services used self-signed certificates with subject CN=AnyDesk Client, serial number 01, RSA-2048 keys, and 50-year validity. Identified AnyDesk management hosts were 38.57.40.237:7070, 38.57.41.81:7070, 38.57.44.11:7070, and 38.57.44.232:7070, with corresponding SHA-256 certificate fingerprints 56:40:AE:B0:2A:C2:E0:E6:36:DB:6A:1E:6C:95:E7:DE:5E:35:27:F2:9A:B4:8E:E0:AF:5A:5A:2E:FF:CF:ED:7C, 7F:78:95:42:6E:B2:56:9D:26:C7:2C:D8:9C:D7:06:0D:00:D7:F9:67:8D:31:B0:1C:E7:E9:B5:FD:35:AC:7B:12, C0:2C:B0:8A:D4:21:4C:EC:07:CD:C8:B5:85:D2:6B:55:9D:34:52:E3:5F:FF:E9:43:3D:40:C5:04:8D:D6:B4:CB, and 69:68:00:2F:50:BA:60:34:8B:1E:24:BD:51:3D:83:03:EC:7A:11:3B:E2:AA:15:F4:CC:EE:D5:CB:35:70:BE:32.

A separate report describes a purpose-built AnyDesk RAT used in the Contagious Interview campaign. That malware silently downloaded and installed AnyDesk, stole configuration and credential material from service.conf, exfiltrated it, injected attacker-controlled credential material into service.conf, and restarted AnyDesk to provide persistent remote desktop access. Reported hardcoded values written into service.conf included pwd_hash 967adedce518105664c46e21fd4edb02270506a307ea7242fa78c1cf80baec9d, pwd_salt 351535afd2d98b9a3a0e14905a60a345, and token_salt e43673a2a77ed68fa6e8074167350f8f; that RAT used C2 server 95.164.17.24:1224.

Additional indicators directly mentioned in the content include AnyDesk Client ID 1148037084 from the LockBit-related ActiveMQ intrusion, and a malware artifact named pdmemeAna.dll described as an AnyDesk RAT. Overall, the provided content consistently characterizes AnyDesk as legitimate software frequently repurposed by attackers to maintain remote access, persistence, and operator control in both cybercriminal and state-linked intrusions.