In October 2025, threat researchers at Cyble Research and Intelligence Labs uncovered a sophisticated cyber attack leveraging weaponized military documents to distribute an advanced SSH-Tor backdoor targeting defense sector personnel.

The campaign centers on a deceptively simple delivery mechanism: a ZIP archive disguised as a Belarusian military document titled “ТЛГ на убытие на переподготовку.pdf” (TLG for departure for retraining), specifically designed to lure Special Operations Command personnel specializing in unmanned aerial vehicle operations.

The attack represents a significant evolution in state-sponsored cyber espionage techniques, combining social engineering with sophisticated technical countermeasures to establish persistent backdoor access.

Cyble analysts identified that the malware deploys OpenSSH for Windows alongside a customized Tor hidden service featuring obfs4 traffic obfuscation, granting threat actors anonymous access to SSH, RDP, SFTP, and SMB protocols on compromised systems.

The researchers successfully connected via SSH to confirm the backdoor’s operational functionality, though no secondary payloads or post-exploitation actions were observed at the time of analysis.

Threat attribution analysis suggests moderate confidence alignment with UAC-0125/Sandworm (APT44), a Russian-linked advanced persistent threat group known for targeting Ukrainian military and critical infrastructure since 2013.

The tactical patterns, infrastructure overlaps, and operational methodologies mirror the December 2024 Army+ campaign, demonstrating Sandworm’s continuous refinement of proven attack techniques.

Multi-Stage Infection Mechanism and Evasion Strategy

The attack chain employs nested ZIP archives and LNK file disguises to bypass automated detection systems with remarkable sophistication.

Upon extraction, victims encounter an LNK file appearing as a legitimate PDF alongside a hidden directory named “FOUND.000” containing an additional archive titled “persistentHandlerHashingEncodingScalable.zip.”

When the victim attempts opening what appears to be a PDF document, the LNK file executes embedded PowerShell commands, extracting the nested archive to the %appdata%\logicpro directory and retrieving obfuscated PowerShell content for execution.

Cyble analysts identified critical anti-analysis checks embedded within the second-stage PowerShell script. The malware validates that at least 10 recent LNK files exist on the system and confirms the process count exceeds 50—thresholds rarely met in sandbox environments.

This environmental awareness mechanism terminates execution in automated analysis systems while proceeding on genuine user workstations.

Following validation, the script displays a decoy PDF to maintain the illusion of legitimacy while establishing persistence through scheduled tasks configured to execute at logon and daily at 10:21 AM UTC, ensuring continuous access to the compromised infrastructure.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Deliver SSH-Tor Backdoor Via Weaponized Military Documents in ZIP Files appeared first on Cyber Security News.

A sophisticated campaign targeting military personnel across Russia and Belarus has emerged, deploying a complex multi-stage infection chain that establishes covert remote access through Tor-based infrastructure.

Operation SkyCloak represents a stealth-oriented intrusion effort aimed at the Russian Airborne Forces and Belarusian Special Forces, utilizing legitimate OpenSSH binaries and obfs4 bridges to mask communication channels while maintaining persistence on compromised systems.

The attack begins with phishing archives containing shortcut files disguised with double extensions, masquerading as official military documents.

The first lure mimics a nomination letter from Military Unit 71289, referencing the 83rd Separate Guards Airborne Assault Brigade stationed in Ussuriysk.

The second decoy targets Belarusian Special Forces personnel with training notifications for Military Unit 89417, the 5th Separate Spetsnaz Brigade located near Minsk.

These carefully crafted documents were weaponized in late September 2025, with archive files uploaded from Belarus between October 15 and October 21.

Once executed, the shortcut files trigger PowerShell commands that initiate a sophisticated dropper mechanism.

The malware extracts nested archive files into directories with cryptic naming schemes such as %APPDATA%\dynamicUpdatingHashingScalingContext and %USERPROFILE%\Downloads\incrementalStreamingMerging.

The multi-stage extraction process deploys payloads into hidden folders including $env:APPDATA\logicpro or $env:APPDATA\reaper, containing multiple executables, XML configuration files, decoy PDFs, and supporting DLLs.

Seqrite analysts identified this campaign as part of a broader pattern of operations targeting Russian defense infrastructure, noting similarities to previous attacks such as HollowQuill and CargoTalon.

The researchers observed that the malware employs sophisticated anti-analysis techniques to evade sandbox detection, including checks for legitimate user activity by verifying the presence of more than ten shortcut files in the Windows Recent folder and ensuring process counts exceed 50 before proceeding with execution.

PowerShell Execution and Persistence Mechanisms

The PowerShell stage implements multiple evasion and persistence tactics to ensure long-term access to compromised systems.

The script creates a mutex to prevent multiple instances from running simultaneously, then registers scheduled tasks through XML configuration files that establish daily execution triggers starting at 2025-09-25T01:41:00-08:00.

These tasks are configured to run hidden, even when the computer is idle, without network connectivity, and with no execution time limits.

The malware deploys legitimate “OpenSSH for Windows” binaries compiled on December 13, 2023, including githubdesktop.exe and googlemaps.exe as SSH daemons, along with ssh-shellhost.exe for interactive sessions and libcrypto.dll for encryption functions.

Configuration files specify non-standard port 20321 for SSH services, disable password authentication, and require public key authentication using files with obfuscated names like redundantOptimizingInstanceVariableLogging and incrementalMergingIncrementalImmutableProtocol.

The campaign exposes multiple services through Tor hidden services, including SSH on port 20322, SMB on port 11435, RDP on port 13893, and additional custom ports.

Communication occurs through obfs4 pluggable transports using binaries named confluence.exe and rider.exe, which connect to bridge endpoints at 77.20.116.133:8080 and 156.67.24.239:33333.

The malware generates identification beacons formatted as <username>:<onion-address>:3-yeeifyem and transmits them through the local Tor SOCKS listener on port 9050, waiting for the onion address yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd.onion to become available before establishing persistent communication channels.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Operation SkyCloak Uses Powershell Tools and Hidden SSH Service to Unblock Traffic appeared first on Cyber Security News.