Threat actors are leveraging weaponized attachments distributed through phishing emails to deliver malware likely targeting defense sectors in Russia and Belarus.
According to multiple reports from Cyble and Seqrite Labs, the campaign is designed to deploy a persistent backdoor on compromised hosts using OpenSSH in conjunction with a customized Tor hidden service that uses obfs4 for traffic obfuscation.
The campaign, codenamed “Operation SkyCloak” by Seqrite, states that the phishing email uses decoys related to military documents to trick recipients into opening a ZIP file containing a second archive file and a hidden folder containing Windows Shortcut (LNK) files, which upon opening the ZIP file triggers a multi-step infection chain.
“These trigger PowerShell commands that serve as the first dropper stage where another archive file other than LNK is used to configure the entire chain,” security researchers Sathwik Ram Prakki and Kartikkumar Jivani said, adding that the archive files were uploaded to the VirusTotal platform from Belarus in October 2025.
One such intermediate module is a PowerShell stager that performs anti-analysis checks to avoid sandbox environments and writes the Tor onion address (“yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd)”.[.]onion” to the file named “hostname” located at “C:\Users\\AppData\Roaming\logicpro\socketExecutingLoggingIncrementalCompiler\”.
As part of its analysis checks, the malware verifies that the number of recent LNK files present on the system is at least 10 and that the number of current processes is at least 50. If either condition is not met, PowerShell will abruptly stop execution.
“These checks serve as an environment awareness mechanism, as sandbox environments typically have fewer user-created shortcuts and reduced process activity compared to real user workstations,” Cyble said.
Once these environment checks are satisfied, the script proceeds to display the PDF decoy document stored in the aforementioned ‘logicpro’ folder, while also setting up persistence on the machine using a scheduled task named ‘githubdesktopMaintenance’. This task runs automatically after a user logs on, and runs regularly every day at 10:21 AM (UTC).
The scheduled task is designed to launch “logicpro/githubdesktop.exe”. It is simply a renamed version of the legitimate executable “sshd.exe” associated with OpenSSH for Windows. This allows an attacker to establish an SSH service that restricts communication to pre-deployed authorized keys stored in the same “logicpro” folder.
In addition to enabling file transfer functionality using SFTP, the malware also creates a second scheduled task configured to run ‘logicpro/pinterest.exe’. This task is a customized Tor binary used to create a hidden service that communicates with the attacker’s .onion address by obfuscating network traffic using obfs4. Additionally, it implements port forwarding for several important Windows services such as RDP, SSH, and SMB to facilitate access to system resources over the Tor network.
Once a connection is successfully established, the malware uses the curl command to steal system information in addition to the unique .onion URL hostname that identifies the compromised system. The attacker eventually receives the victim’s .onion URL through a command-and-control channel and gains remote access to the compromised system.
It is not immediately clear who is behind the campaign, but both security vendors said the campaign is consistent with Eastern Europe-related espionage efforts targeting defense and government sectors. Cyble assessed with medium confidence that this attack was tactically duplicated with a previous campaign launched by the actor, which was tracked by CERT-UA as UAC-0125.
“The attacker gains access to SSH, RDP, SFTP, and SMB through hidden Tor services, allowing them complete system control while maintaining anonymity,” the company added. “All communication is done through anonymous addresses using pre-installed encryption keys.”
Source link
