Full Report
Threat actors are leveraging weaponized attachments distributed via phishing emails to deliver malware likely targeting the defense sector in Russia and Belarus. According to multiple reports from Cyble and Seqrite Labs, the campaign is designed to deploy a persistent backdoor on compromised hosts that uses OpenSSH in conjunction with a customized Tor hidden service that employs obfs4 for
Analysis Summary
# Threat Actor: Unidentified (Associated with Operation SkyCloak)
## Attribution & Identity
The threat actor remains unidentified, but the activity has been codenamed **Operation SkyCloak** by Seqrite Labs. Researchers assess with *medium confidence* that the attack shares tactical overlaps with prior activity attributed to **UAC-0125** (tracked by CERT-UA). The campaign is generally consistent with Eastern European-linked espionage activity.
## Activity Summary
The actors are running a campaign named Operation SkyCloak, primarily distributed via phishing emails containing weaponized attachments (ZIP files hiding LNK files). The objective is to deploy a persistent backdoor leveraging OpenSSH and a custom Tor hidden service to maintain stealthy remote access. Archives related to the campaign were observed uploaded from Belarus to VirusTotal in October 2025.
## Tactics, Techniques & Procedures
- **Initial Access:** Spearphishing via email using lures concerning military documents.
- **Execution:** Opening a ZIP file containing a LNK file which triggers a multi-step infection chain starting with PowerShell commands.
- **Defense Evasion (Anti-Analysis):** The PowerShell stager performs environmental checks:
- Checks if the number of recent LNK files is $\ge 10$.
- Checks if the current process count is $\ge 50$.
If either condition fails, execution ceases, indicating a sandbox evasion technique.
- **Persistence:**
1. Creation of a scheduled task named "githubdesktopMaintenance" set to run daily at 10:21 a.m. UTC upon user logon. This task executes a renamed `sshd.exe` (OpenSSH for Windows).
2. Creation of a second scheduled task to execute a customized Tor binary (`pinterest.exe`).
- **Command and Control (C2):** Establishes a persistent backdoor that registers a Tor hidden service (`.onion` address).
- **Data Exfiltration:** Exfiltrates system information and a unique system identifier (the `.onion` hostname) using a `curl` command after gaining access.
- **Lateral Movement/Access:** Implements port forwarding for RDP, SSH, and SMB services to facilitate access through the Tor network.
## Targeting
- **Sectors:** Defense sector.
- **Geography:** Russia and Belarus.
- **Victims:** Organizations within the defense sectors of Russia and Belarus.
## Tools & Infrastructure
- **Malware Families Used:** Custom persistent backdoor utilizing OpenSSH (`sshd.exe` renamed), custom Tor binary (`pinterest.exe`), PowerShell stager.
- **Infrastructure (C2):** A Tor hidden service employing **obfs4** for traffic obfuscation. A specific sample onion address observed was: `yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd[.]onion`.
- **File Paths:** Stores components in `%AppData%\Roaming\logicpro\`.
## Implications
The operation indicates a highly sophisticated, state-sponsored or state-affiliated espionage effort targeting critical national security sectors in Eastern Europe. The use of OpenSSH combined with a Tor hidden service and obfs4 obfuscation suggests the actor prioritizes high-volume, resilient remote access while maintaining a significant degree of operational anonymity.
## Mitigations
- **Email Security:** Enhance filtering for suspicious ZIP attachments, especially those containing LNK or nested compressed files.
- **Endpoint Detection & Response (EDR):** Monitor for suspicious PowerShell execution, especially scripts attempting process/file counting for environmental checks.
- **Network Monitoring:** Implement egress filtering and monitor for unexpected outbound traffic communicating with known Tor relay nodes or attempting to resolve `.onion` addresses.
- **System Hardening:** Scrutinize scheduled tasks for suspicious names (`githubdesktopMaintenance`) running unknown executables, particularly renamed, legitimate binaries like `sshd.exe`.
- **SSH/RDP Security:** Review authorized keys for OpenSSH deployments and restrict or monitor unusual attempts to use SFTP or SSH, especially if originating from unexpected local instances.