{
	"id": "8ef4fb61-50be-4d47-8c01-638dd96abc67",
	"created_at": "2026-04-06T00:14:57.521401Z",
	"updated_at": "2026-04-10T03:20:27.076368Z",
	"deleted_at": null,
	"sha1_hash": "5079360bafa31907a76ef486ec138acac6d188cf",
	"title": "Proactive response: AnyDesk, any breach - Stairwell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 256413,
	"plain_text": "Proactive response: AnyDesk, any breach - Stairwell\r\nBy By Threat Research\r\nArchived: 2026-04-05 20:35:46 UTC\r\nThe Stairwell research team closely monitors news for security events that could potentially impact our customers\r\nand the world at large. Among rumors of a breach at AnyDesk, we started proactively working to develop YARA\r\nrules and hunting methods to help our customers rapidly respond. At the time of this blog, this breach remains\r\nunconfirmed – which is precisely why we are writing this report. During the window of time between rumor and\r\nconfirmation, organizations can take proactive steps to evaluate their exposure.\r\nThis blog post covers our initial approach and potential detection methodologies that serve as a foundation upon\r\nwhich others can build.\r\nYARA development approach\r\nAs part of our initial approach, we started to collect technical facts:\r\n1. What do legitimate AnyDesk files look like?\r\n2. What code signing certificates are used?\r\nhttps://stairwell.com/resources/proactive-response-anydesk-any-breach/\r\nPage 1 of 4\n\nWhen looking at trusted copies of AnyDesk, the executables signed before 9 November 2023 were signed with a\r\ncertificate from philandro Software GmbH (Serial number:\r\n0d:bf:15:2d:ea:f0:b9:81:a8:a9:38:d5:3f:76:9d:b8 ), the company’s original name. After this time, AnyDesk\r\nstarted signing copies of their software with a new certificate with a serial number of\r\n0a:81:77:fc:d8:93:6a:91:b5:e0:ed:df:99:5b:0b:a5 .\r\nPotential detection: AnyDesk certificate used\r\nTo help equip hunt teams to answer quickly, “Is this used in our network?” the first rule we wrote looks for the\r\nserial numbers from AnyDesk’s code signing certificates. This signature will match legitimate copies of AnyDesk\r\nand any potentially malicious files:\r\nimport \"pe\"\r\nrule AnyDesk_certificates\r\n{\r\n meta:\r\n author = \"Silas Cutler (silas@stairwell)\"\r\n description = \"Detection for PE files with AnyDesk certificates\"\r\n date = \"2024-02-02\"\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n for any i in (0 .. pe.number_of_signatures): (\r\n pe.signatures[i].serial == \"0a:81:77:fc:d8:93:6a:91:b5:e0:ed:df:99:5b:0b:a5\" or\r\n pe.signatures[i].serial == \"0d:bf:15:2d:ea:f0:b9:81:a8:a9:38:d5:3f:76:9d:b8\"\r\n )\r\n}\r\nPotential detection: AnyDesk certificate used, but unrelated PE info\r\nIf the certificates were stolen and are used in the future to sign malicious executables, we can use the certificate\r\nserial numbers as a starting point. An easy starting point is to look for instances in which the files are signed, but\r\nhttps://stairwell.com/resources/proactive-response-anydesk-any-breach/\r\nPage 2 of 4\n\nthe PE metadata does not match legitimate AnyDesk executables.\r\nimport \"pe\"\r\nrule AnyDesk_certificates_invalid_pe_data\r\n{\r\n meta:\r\n author = \"Silas Cutler (silas@stairwell)\"\r\n description = \"Detection for PE files with AnyDesk certificates that do not contain AnyDesk in the compa\r\n date = \"2024-02-02\"\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n for any i in (0 .. pe.number_of_signatures): (\r\n ( pe.signatures[i].serial == \"0a:81:77:fc:d8:93:6a:91:b5:e0:ed:df:99:5b:0b:a5\" or\r\n pe.signatures[i].serial == \"0d:bf:15:2d:ea:f0:b9:81:a8:a9:38:d5:3f:76:9d:b8\")\r\n and not pe.version_info[\"CompanyName\"] icontains \"AnyDesk\"\r\n )\r\n}\r\nPotential detection: AnyDesk .NET\r\nWhile reviewing the results of the previous two rules, we identified several malicious files (one example is\r\nSHA256 hash: 4e10c6fe5d0f656aab6d41c6a359bdbf658cafad4866583c8872ed60ed3018ed ) written in .NET bearing\r\nthe AnyDesk certificate. As Anydesk is not written in .NET, signed files may be worth investigating.\r\nimport \"pe\"\r\nimport \"dotnet\"\r\nrule AnyDesk_cert_and_DOTnet\r\n{\r\n meta:\r\n author = \"Silas Cutler (silas@stairwell)\"\r\n description = \"Detection for PE files with AnyDesk certificates and written in .NET\"\r\n date = \"2024-02-02\"\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n for any i in (0 .. pe.number_of_signatures): (\r\n pe.signatures[i].serial == \"0a:81:77:fc:d8:93:6a:91:b5:e0:ed:df:99:5b:0b:a5\" or\r\n pe.signatures[i].serial == \"0d:bf:15:2d:ea:f0:b9:81:a8:a9:38:d5:3f:76:9d:b8\"\r\n )\r\n and dotnet.number_of_streams \u003e 0\r\n}\r\nhttps://stairwell.com/resources/proactive-response-anydesk-any-breach/\r\nPage 3 of 4\n\nOne of the most powerful features of the Stairwell platform is the ability for users to leverage YARA to\r\ndynamically hunt through their environment and through our sample feeds. Whether it’s hunting for malware or\r\ntracking software, we want to enable our users to stay one step ahead of attackers.\r\nStairwell customers and users can find copies of these rules under the Stairwell Research ruleset.\r\nSource: https://stairwell.com/resources/proactive-response-anydesk-any-breach/\r\nhttps://stairwell.com/resources/proactive-response-anydesk-any-breach/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://stairwell.com/resources/proactive-response-anydesk-any-breach/"
	],
	"report_names": [
		"proactive-response-anydesk-any-breach"
	],
	"threat_actors": [],
	"ts_created_at": 1775434497,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5079360bafa31907a76ef486ec138acac6d188cf.pdf",
		"text": "https://archive.orkl.eu/5079360bafa31907a76ef486ec138acac6d188cf.txt",
		"img": "https://archive.orkl.eu/5079360bafa31907a76ef486ec138acac6d188cf.jpg"
	}
}