Cybercriminals are impersonating corporate IT helpdesk staff to trick users into installing remote access tools like AnyDesk under the guise of “security troubleshooting.” Once victims comply, attackers gain full remote control and execute fileless malware directly in system memory, evading traditional antivirus and endpoint detection tools.
Why It Matters
Social Engineering + Fileless Execution = Stealthy Compromise
This attack combines classic social engineering with modern, stealthy execution. By posing as trusted IT support staff, attackers exploit human trust to gain remote access. From there, they deploy fileless payloads, malware that lives entirely in memory, leaving minimal forensic traces and bypassing many security solutions.
What’s Happening
Our MXDR team has identified multiple incidents where users received unexpected calls or emails from individuals claiming to be “corporate IT” or “Microsoft support.” The attackers often state there’s an issue with the user’s system or email security, instructing them to download and run AnyDesk, or similar remote access tools.
Once the remote session is active, the attacker:
- Establishes persistence through PowerShell or registry modifications.
- Executes scripts directly in memory, avoiding disk-based detection.
- Harvests credentials, session tokens, and browser data.
- Deploys additional payloads such as keyloggers or information stealers.
In several cases, the malicious activity can go undetected for hours because the attacker operated entirely within the legitimate remote access session.
Why It Works
- Human Trust Exploited: Attackers rely on urgency and authority (“Your account has been locked” or “We detected a virus”) to compel compliance.
- Remote Access Abuse: Tools like AnyDesk are legitimate but give full control once installed.
- Fileless Techniques: Malicious PowerShell or .NET payloads run directly in memory, leaving few traditional indicators.
- No Malware Files: Since no executables are written to disk, many antivirus solutions fail to trigger.
How to Detect These Attacks
Behavioral Red Flags:
- Unsolicited calls or emails claiming to be IT or Microsoft support.
- Requests to download and install AnyDesk, or “remote diagnostic tools.”
- PowerShell or WMI activity initiated shortly after a remote session begins.
- Unusual login activity or MFA prompts following remote access.
Technical Indicators:
- Network traffic from unknown external IPs to anydesk.com or other remote tool domains.
- Suspicious PowerShell commands such as Invoke-Expression, IEX, or encoded Base64 scripts.
- Memory-resident processes without associated executables on disk.
What You Can Do
Immediate Mitigations:
- Block downloads and installations of unauthorized remote access tools (AnyDesk, TeamViewer, etc.) via Group Policy or Endpoint Manager.
- Enable Constrained PowerShell mode and log all PowerShell execution (Event ID 4104).
- Restrict administrative privileges to prevent unauthorized software installs.
- Educate staff to verify all IT-related requests via official internal channels before complying.
If You Suspect Compromise:
- Immediately disconnect the device from the network.
- Contact your SOC or our GoSecure IR team for memory forensics.
- Reset credentials and revoke active sessions in Microsoft Entra ID (Azure AD).
- Review audit logs for suspicious PowerShell, registry, or remote session activity.
Take Action Today
Human-driven attacks remain one of the most effective intrusion methods.
If your organization would like help strengthening endpoint controls, configuring remote access restrictions, or improving user awareness, contact GoSecure today.
Stay vigilant. Verify before you trust. Never install remote tools at the request of unsolicited “IT” callers.
