A massive campaign using over 1,300 domains to impersonate the official AnyDesk site is underway, all redirecting to a Dropbox folder recently pushing the Vidar information-stealing malware.
AnyDesk is a popular remote desktop application for Windows, Linux, and macOS, used by millions of people worldwide for secure remote connectivity or performing system administration.
Due to the tool’s popularity, malware distribution campaigns often abuse the AnyDesk brand. For example, in October 2022, Cyble reported that the operators of Mitsu Stealer were using an AnyDesk phishing site to push their new malware.
The new ongoing AnyDesk campaign was spotted by SEKOIA threat analyst crep1x, who warned about it on Twitter and shared the complete list of the malicious hostnames. All of these hostnames resolve to the same IP address of 185.149.120[.]9.
The list of the hostnames includes typosquats for AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, cryptocurrency trading apps, and other popular software.
However, regardless of the name, they all lead to the same AnyDesk clone site, shown below.