In short: In early July 2026 analysts at Angara MTDR described a fresh phishing wave aimed at Russian organisations. Victims get an email that looks like ongoing business correspondence with an encrypted archive named as a "supply contract". Opening the attached file quietly installs the legitimate remote-access tool AnyDesk, sets up permanent access, and steals passwords saved in the browser and email client. The core defence is to distrust unexpected "contract" archives, never store important passwords in the browser, and turn on two-factor authentication.
What happened
On 8 July 2026 the Angara MTDR monitoring team published a breakdown of a new campaign by the group tracked as Rare Werewolf (also known as Rezet, Librarian Ghouls and Librarian Likho), active against organisations in Russia, Belarus and Kazakhstan since at least 2019. The lure is a phishing email crafted to look like a reply inside an existing business thread — a supply contract that supposedly needs a final look. The malicious message in the analysed sample was sent on 1 July 2026, at 3 a.m. Moscow time, from a free mailbox posing as a real employee. Because credential theft usually starts with a single careless click, it is worth reviewing the basics first in our guide on protecting your accounts from hacking.
It is not an isolated case. In a separate July 2026 report, Kaspersky described a parallel wave in which attackers pose as foreign buyers, write in English asking about products and prices, and then send a link to a page masquerading as a cloud PDF service that harvests corporate email logins. Two different groups, one goal: your saved credentials.
How the attack works
The Rare Werewolf email carries an encrypted RAR archive named like a real document, for example a "supply contract" with a case number. Inside are two files; one is an executable disguised with a harmless-looking extension. Launch it and a multi-stage loader unpacks in the background, deploys AnyDesk, and configures it for silent, persistent remote access to the machine.
From there the malware pulls passwords saved in browsers and email clients and ships them out over the attacker's own mail server. To stay hidden it mimics an antivirus "all clear" screen, references a fake digital signature, weakens built-in Windows protections and wipes traces of its activity. The victim believes they simply opened a contract.
What it means for your data
The prize here is your stored credentials. Passwords kept in a browser or mail client can be read out in seconds and reused to log into banking, email, corporate portals and social accounts — or sold on. Persistent AnyDesk access means the attacker can return, watch the screen and reach internal systems. If you think an account of yours may already be exposed, run the checks in our guide on how to detect a personal-data leak and change the affected passwords immediately.
How can you protect yourself?
Treat unexpected "contract" archives as hostile. A password-protected RAR with an .exe or .com file inside, arriving out of the blue, is a classic delivery trick. Verify with the sender through a known channel before opening anything.
Stop storing important passwords in the browser. Browser-saved logins are exactly what this malware grabs. Use a dedicated password manager with a master password, and enable two-factor authentication so a stolen password alone is not enough.
Watch for uninvited remote-access tools. If AnyDesk, TeamViewer or similar software appears that you did not install, treat the device as compromised, disconnect it and change passwords from a clean machine.
Keep your OS, antivirus and email filtering up to date, and be sceptical of any message — even one that looks like a running conversation — that pushes you to open a file or enter a password. To understand where a VPN does and does not help, see our explainer on what a VPN protects you from — and what it does not.
Where does a VPN fit in?
Be honest about the limits: a VPN cannot stop a phishing email or remove malware that a user has already run — that is the job of vigilance, a password manager and endpoint protection. What a VPN does cover is the network layer: it encrypts your traffic on untrusted Wi-Fi so logins and one-time codes cannot be intercepted in transit, and it hides your real IP, shrinking the footprint an attacker can profile. See how LiMP VPN handles encryption and pick a plan on our pricing page. Treat it as one layer among several, not a cure for phishing.
Sources
This report is based on the Angara MTDR analysis covered by CNews and Anti-Malware.ru, plus a parallel July 2026 phishing report from Kaspersky covered by Anti-Malware.ru.
