Threat actors are leveraging weaponized attachments distributed via phishing emails to deliver malware likely targeting the defense sector in Russia and Belarus.
According to multiple reports from Cyble and Seqrite Labs, the campaign is designed to deploy a persistent backdoor on compromised hosts that uses OpenSSH in conjunction with a customized Tor hidden service that employs obfs4 for traffic obfuscation.
The activity has been codenamed Operation SkyCloak by Seqrite, stating the phishing emails utilize lures related to military documents to convince recipients into opening a ZIP file containing a hidden folder with a second archive file, along with a Windows shortcut (LNK) file, which, when opened, triggers the multi-step infection chain.
“They trigger PowerShell commands which act as the initial dropper stage where another archive file besides the LNK is used to set up the entire chain,” security researchers Sathwik Ram Prakki and Kartikkumar Jivani said, adding the archive files were uploaded from Belarus to the VirusTotal platform in October 2025.
One such intermediate module is a PowerShell stager that’s responsible for running anti-analysis checks to evade sandbox environments, as well as writing a Tor onion address (“yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd[.]onion” to a file named “hostname” in the “C:Users<Username>AppDataRoaminglogicprosocketExecutingLoggingIncrementalCompiler” location.
As part of its analysis checks, the malware confirms that the number of recent LNK files present on the system is greater than or equal to 10 and verifies that the current process count exceeds or equals 50. If either of the conditions is not met, the PowerShell abruptly ceases execution.
“These checks serve as environmental awareness mechanisms, as sandbox environments typically exhibit fewer user-generated shortcuts and reduced process activity compared to genuine user workstations,” Cyble said.
Once these environmental checks are satisfied, the script proceeds to display a PDF decoy document stored in the aforementioned “logicpro” folder, while setting up persistence on the machine using a scheduled task under the name “githubdesktopMaintenance” that runs automatically after user logon and runs at regular intervals every day at 10:21 a.m. UTC.
The scheduled task is designed to launch “logicpro/githubdesktop.exe,” which is nothing but a renamed version of “sshd.exe,” a legitimate executable associated with OpenSSH for Windows,” allowing the threat actor to establish an SSH service that restricts communications to pre-deployed authorized keys stored in the same “logicpro” folder.
Besides enabling file transfer capabilities using SFTP, the malware also creates a second scheduled task that’s configured to execute “logicpro/pinterest.exe,” a customized Tor binary used to create a hidden service that communicates with the attacker’s .onion address by obfuscating the network traffic using obfs4. Furthermore, it implements port forwarding for multiple critical Windows services such as RDP, SSH, and SMB to facilitate access to system resources through the Tor network.
Once the connection is successfully established, the malware exfiltrates system information, in addition to a unique .onion URL hostname identifying the compromised system by means of a curl command. The threat actor ultimately gains remote access capabilities to the compromised system upon receipt of the victim’s .onion URL through the command-and-control channel.
While it’s currently not clear who is behind the campaign, both security vendors said it’s consistent with Eastern European-linked espionage activity targeting defense and government sectors. Cyble has assessed with medium confidence that the attack shares tactical overlaps with a prior campaign mounted by a threat actor tracked by CERT-UA under the moniker UAC-0125.
“Attackers access SSH, RDP, SFTP, and SMB via concealed Tor services, enabling full system control while preserving anonymity,” the company added. “All communications are directed through anonymous addresses using pre-installed cryptographic keys.”
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
The Hacker News
