Full Report
Authors: Sathwik Ram Prakki and Kartikkumar Jivani Contents Introduction Key Targets Industries Geographical Focus Infection and Decoys Technical Analysis PowerShell Stage Persistence Configuration Infrastructure and Attribution Conclusion SEQRITE Protection IOCs MITRE ATT&CK Introduction SEQRITE Labs has identified a campaign targeting military personnel of both Russia and Belarus, especially the Russian Airborne Forces and Belarusian Special […] The post Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Threat Actor: Unknown (Associated with Operation SkyCloak)
## Attribution & Identity
The threat actor remains unattributed by name in the provided context. The campaign is dubbed **Operation SkyCloak**. The activity shows high operational capability, leveraging multi-stage execution, evasion techniques, and Tor infrastructure for anonymization. The report notes potential overlaps with the **HeadMare** group observed in a related aerospace/defense campaign (Operation CargoTalon).
## Activity Summary
Operation SkyCloak is a recent cyber espionage campaign identified by SEQRITE Labs. Its primary focus is targeting the military personnel of Russia and Belarus. The infection chain relies on spearphishing attachments that ultimately deploy malware to establish persistent access and communicate anonymously via the Tor network by exposing local services as hidden services.
This campaign appears contextually related to other recent operations targeting Russian entities:
* **Operation HollowQuill (Early 2025):** Targeted Russian academic/research institutes linked to defense sectors.
* **Operation CargoTalon (July 2025):** Targeted Russian aerospace and defense sectors using the Eaglet implant.
* **Operation MotorBeacon (October 2025):** Targeted Russian automobile and e-commerce industries using the CAPI Backdoor.
## Tactics, Techniques & Procedures
The actor employs a sophisticated multi-stage dropper mechanism:
- **Initial Access:** Spearphishing attachments (.LNK files with double extensions) disguised as official military nomination/training letters are used.
- **Execution:** The LNK file triggers hidden PowerShell commands. This downloads and extracts multiple stages of archives containing EXEs, DLLs, and scripts.
- **Evasion/Anti-Analysis:** PowerShell scripts check the Windows 'Recent' folder for over ten shortcut files, indicating an attempt to ensure execution only in environments exhibiting signs of typical user activity (Defense Evasion: T1497 - Virtualization/Sandbox Evasion).
- **Persistence:** Mechanisms include establishing scheduled tasks (T1053.005) and boot/logon autostart execution (T1547) to maintain access.
- **Network Communication:** Communication is anonymized using the Tor network, specifically leveraging **obfs4 bridges** to tunnel command and control (C2) traffic. The actor sets up **SSH as a hidden service** via Tor to allow anonymous communication.
- **Obfuscation:** Use of obfuscated files or information (T1027) via PowerShell execution.
**MITRE ATT&CK Mappings Mentioned:**
* **T1583:** Acquire Infrastructure (Implied by deploying Tor bridges/infrastructure)
* **T1566.001:** Phishing: Spearphishing Attachment
* **T1204.002:** User Execution: Malicious File
* **T1059.001:** Command and Scripting Interpreter: PowerShell
* **T1053.005:** Scheduled Task
* **T1547:** Boot or Logon Autostart Execution
* **T1027:** Obfuscated Files or Information
* **T1036:** Masquerading
* **T1497:** Virtualization/Sandbox Evasion
* **T1083, T1046, T1033:** File and Directory Discovery, Network Service Discovery, System Owner/User Discovery
* **T1021:** Remote Services (Implied by exposing SSH)
* **T1119:** Automated Collection
* **T1071, T1090, T1571:** Application Layer Protocol, Proxy, Non-Standard Port (Used via Tor)
* **T1041:** Exfiltration Over C2 Channel
## Targeting
- **Sectors:** Ministry of Defence (DoD), military entities.
- **Geography:** Russian Federation, Republic of Belarus.
- **Victims:** Specifically targeted military personnel, including the **Russian Airborne Forces (VDV)** and **Belarusian Special Forces** (e.g., references to Military Unit 71289 and 83rd Separate Guards Airborne Assault Brigade; Military Unit 89417 associated with the 5th Separate Spetsnaz Brigade).
- **Decoys:** Infection spread via documents impersonating official communications, such as a 'Nomination letter for appointment' and a 'Training notification letter.'
## Tools & Infrastructure
- **Malware Families Used:** Multi-stage droppers culminating in execution via PowerShell. Specific executable names like `githubdesktop.exe`, `googlemaps.exe`, `pinterest.exe`, and `confluence.exe` are used for masquerading. Payloads likely include components necessary for Tor communication (e.g., `obfs4proxy.exe` and `tor.exe`).
- **Infrastructure (C2):** Anonymous communication established over the **Tor network** using **obfs4 bridges**.
* **Observed Tor Bridges (IPs/Ports):**
* 77.20.116[.]133:8080
* 156.67.24[.]239:33333
* 146.59.116[.]226:50845
* 142.189.114[.]119:443
* **Onion Address:** yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd[.]onion
## Implications
The campaign indicates a focused intelligence collection effort targeting sensitive military assets within Russia and Belarus. The use of Tor and obfs4 bridges signifies a high concern for operational security and anonymity on the attacker's side. The ability to expose SSH as a hidden service suggests the objective is likely persistent remote access for reconnaissance or data exfiltration from high-value military networks.
## Mitigations
- Implement rigorous email and attachment filtering, specifically looking for LNK files hiding payloads or executable content.
- Deploy advanced endpoint detection and response (EDR) solutions capable of detecting fileless execution techniques involving script interpreters like PowerShell, focusing on behavioral analysis rather than just static signatures.
- Actively monitor for unauthorized network activity related to Tor installation, obfuscated traffic, and the exposure of internal services (like SSH) to non-standard or encrypted tunneling protocols.
- Enhance multi-factor authentication and strictly limit administrative access, especially pathways that could lead to scheduled task creation or registry modifications for persistence.
- Implement network segmentation to isolate critical defense assets from general user workstations, potentially minimizing the blast radius if initial access is achieved via social engineering.