Weaponized AnyDesk Installer

Security experts have uncovered a complicated malvertising campaign (malware advertising) distributing the weaponized AnyDesk installer via targeted Google ad searches for the keyword “Anydesk.”

According to a security investigation from CrowdStrike Falcon Complete team, cybercriminals are spreading a malicious file “AnyDeskSetup.exe” masquerading as a legitimate AnyDesk Remote Desktop application.

What is Anydesk?

AnyDesk is a remote desktop application that provides independent remote access, file transfer, and VPN functionality to computer systems and other devices running the host application.

How does the Attack Happen?

Here malvertising concept was used for exploitation. A malware code or script is spread via legitimate-looking ads on websites. With malicious codes hidden inside these ads, they often redirect the users to fraudulent websites or install malware on their devices.

The malicious executable file looks to have manipulated to avoid detection and automatically installs a PowerShell script with the command line: C:\Intel\rexc.exe” -exec bypass \Intel\g.ps1.  Also ed a “rexc.exe” executable file appeared to be renamed for the PowerShell binary to bypass and avoid detections.

Malvertising Campaign and the Beginning of the Issue

Malicious and harmful Google ads were created by Attackers to target users using Google to search for AnyDesk. The malvertising campaign, which is active since April 21, 2021, leveraged intermediary sites that redirect the users to a social engineering page hosted at the URL: https[:]//domohop[.]com/anydesk-download/, which auto-downloads the trojan installer from the link: https://anydesk.s3-us-west-1.amazonaws[.]com/AnydeskSetup.exe.

Level of Compromise

40% of clicks on the malicious ad turned into installations of this trojan AnyDesk binary, and 20% of installations included follow-on hands-on-keyboard activity. While it is unknown what percentage of Google searches for AnyDesk resulted in clicks on the ad, a 40% Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets.

List of IP address and domains:

IP Address: 

  • 176[.]111[.]174[.]126
  • 176[.]111[.]174[.]125


  • Domohop[.]com
  • Anydesk.s3-us-west-1[.]amazonaws.com
  • Zoomstatistic[.]com
  • Anydeskstat[.]com
  • Turismoelsalto[.]cl
  • Rockministry[.]org
  • curaduria3[.]com
Technical Aspect

AnyDesk’s remote desktop access solution has been downloaded by more than 300 million users worldwide, according to the company’s website. Although the cybersecurity firm did not attribute the cyber activity to a specific threat actor or nexus, it suspected it to be a “widespread campaign affecting a wide range of customers” given the large user base.

The PowerShell script may have all the hallmarks of a typical backdoor, but it’s the intrusion route where the attack throws a curve, signaling that it’s beyond a garden-variety data-gathering operation.


The company AnyDesk said it has notified Google of its findings and is said to have taken immediate action to pull the ad.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.