Forums » News and Announcements

Back To Topics

Understanding and threat hunting for RMM software misuse

  • Fazal GR
    • 56 posts
    December 10, 2025 1:22 AM EST

    AnyDesk

    AnyDesk is a remote desktop application that enables quick, secure connections across a range of devices. The software is widely used by businesses for legitimate purposes such as support, file transfer and real-time collaboration. However, threat actors frequently exploit it to gain unauthorized access to personal or financial data by tricking victims into installing the software.

    In December 2024, two separate campaigns documented by security vendors illustrated how threat actors continue to leverage AnyDesk for illicit activities. In the first campaign, an attacker posed as a known client during a Microsoft Teams call, convincing the victim to install AnyDesk, which facilitated the deployment of DarkGate malware. In the second campaign, threat actors capitalized on the previously patched CVE-2023-48788 vulnerability in a FortiClient endpoint management system (EMS) for initial access. After using a ScreenConnect executable file to gain remote access, they installed AnyDesk as a means of securing persistence on the compromised system. Furthermore, the Computer Emergency Response Team of Ukraine (CERT-UA) issued an alert Jan. 17, 2025, about ongoing fraudulent attempts by unidentified threat actors to impersonate the agency through AnyDesk connection requests.

    The underground market is rife with offers from initial access brokers (IABs) of unauthorized network access via AnyDesk and other RMM tools plus PSA software. For instance, in December 2024, an actor known as Pirat-Networks offered AnyDesk account credentials with local domain administrator privileges to a U.S. vehicle tire vendor. Additionally, AnyDesk featured in ransomware activity by the Mad Liberator, Medusa, Rhysida and Cactus ransomware gangs.

     

    Artifacts observed

    Running the installer creates several configuration files in the “%AppData%” directory and a dynamic-link library (DLL) file in the “%temp%” folder.

     

    C:\Users\%userprofile%\AppData\Roaming\AnyDesk\user.conf

    C:\Users\%userprofile%\AppData\Roaming\AnyDesk\system.conf

    C:\Users\%userprofile%\AppData\Roaming\AnyDesk\service.conf

    C:\Users\%userprofile%\AppData\Local\Temp\gcapi.dll

     

    Installing AnyDesk also results in the creation of a folder in the “%ProgramData%” directory to host the configuration files initially in the “%AppData%” directory. This folder is:

     

    C:\ProgramData\AnyDesk\

    DNS requests

    One of the best opportunities for detection is monitoring domain name system (DNS) requests for the anydesk.com domain. In our tests, DNS resolutions to the following domains were observed:

    boot.net.anydesk.com

    relay-8bd65c3e.net.anydesk.com

    To increase the opportunities for early detection, we recommend monitoring or block DNS requests that aim to resolve the *.anydesk.com domain if possible.

    Also Read: What is honeypotting?