Ethical Hacking News
Operation SkyCloak: A sophisticated Tor-enabled OpenSSH backdoor campaign targeting defense sectors in Russia and Belarus has been uncovered. The campaign leverages phishing emails, multi-step infection chains, and customized Tor hidden services to establish persistent backdoors and facilitate remote access.
Operation SkyCloak is a highly sophisticated phishing email campaign that compromises systems in Russia's and Belarus' defense sectors. The attack uses a multi-step infection chain to deliver a persistent backdoor, leveraging OpenSSH and Tor hidden services for obfuscation. The malware performs environmental awareness mechanisms to evade sandbox environments and writes a Tor onion address to a file. The script displays a PDF decoy document and sets up persistence on the machine using scheduled tasks. The malware implements port forwarding for critical Windows services, facilitating access to system resources through the Tor network. The attackers exfiltrate system information and gain remote access capabilities through a command-and-control channel.
Threat actors have been observed deploying a highly sophisticated and evasive campaign to compromise systems within the defense sectors of Russia and Belarus. Codenamed Operation SkyCloak, this malware-laden phishing email campaign utilizes a multi-step infection chain to deliver a persistent backdoor on compromised hosts, leveraging OpenSSH in conjunction with a customized Tor hidden service that employs obfs4 for traffic obfuscation.
The attack begins with the recipient receiving a phishing email laced with military documents as the lure, enticing them into opening a ZIP file containing a hidden folder with a second archive file and a Windows shortcut (LNK) file. Upon executing these files, the malware triggers PowerShell commands that act as the initial dropper stage, setting up the entire infection chain.
The attackers then upload intermediate modules to the VirusTotal platform in October 2025, including a PowerShell stager responsible for running anti-analysis checks to evade sandbox environments and writing a Tor onion address to a file. The malware performs environmental awareness mechanisms by confirming that the number of recent LNK files present on the system is greater than or equal to 10 and verifying that the current process count exceeds or equals 50.
If either condition is not met, the PowerShell script ceases execution abruptly. Once these checks are satisfied, the script proceeds to display a PDF decoy document stored in the "logicpro" folder while setting up persistence on the machine using a scheduled task under the name "githubdesktopMaintenance" that runs automatically after user logon and runs at regular intervals every day at 10:21 a.m. UTC.
The malware also creates another scheduled task to execute "logicpro/pinterest.exe," a customized Tor binary used to create a hidden service that communicates with the attacker's .onion address by obfuscating network traffic using obfs4. Furthermore, it implements port forwarding for multiple critical Windows services such as RDP, SSH, and SMB to facilitate access to system resources through the Tor network.
Once connection is established, the malware exfiltrates system information along with a unique .onion URL hostname identifying the compromised system by means of a curl command. This results in the threat actor gaining remote access capabilities to the compromised system upon receipt of the victim's .onion URL through the command-and-control channel.
The attackers have been linked to Eastern European-linked espionage activity targeting defense and government sectors, with Cyble assessing this attack sharing tactical overlaps with a prior campaign mounted by a threat actor tracked by CERT-UA under the moniker UAC-0125. The attackers utilize concealed Tor services, enabling full system control while preserving anonymity and directing all communications through anonymous addresses using pre-installed cryptographic keys.
This complex attack demonstrates the evolving sophistication of modern malware campaigns and highlights the need for enhanced security measures to protect systems within high-risk sectors.
Related Information:
https://www.ethicalhackingnews.com/articles/Operation-SkyCloak-A-Sophisticated-Tor-Enabled-OpenSSH-Backdoor-Campaign-Targeting-Defense-Sectors-ehn.shtml
https://thehackernews.com/2025/11/operation-skycloak-deploys-tor-enabled.html
https://www.youtube.com/watch?v=4xhmzLw_a7A
Published: Tue Nov 4 09:26:39 2025 by llama3.2 3B Q4_K_M
