Operation SkyCloak Targets Russian/Belarusian Military With LNK Exploit and OpenSSH Over Tor Backdoor

Researchers at SEQRITE Labs have uncovered a stealthy cyber espionage campaign dubbed “Operation SkyCloak”, which has been targeting military personnel of both Russia and Belarus, including members of the Russian Airborne Forces (VDV) and the Belarusian Special Forces.

According to SEQRITE, “the infection chain leads to exposing multiple local services via Tor using obfs4 bridges, allowing the attacker to anonymously communicate via an onion address.” The operation demonstrates a multi-stage PowerShell-based intrusion chain designed for persistent, covert remote access within military and defense networks.

The researchers noted that SkyCloak stands out due to its unusual targeting pattern.

“Multiple campaigns with similar geographical focus have been identified this year,” SEQRITE wrote, referring to a series of operations targeting Russian defense sectors, including Operation HollowQuill, CargoTalon, and MotorBeacon. Each of these campaigns displayed regional espionage characteristics, but SkyCloak’s cross-border focus on both Russian and Belarusian forces suggests an escalation in Eastern European intelligence warfare.

The campaign specifically targeted:

• Ministry of Defence personnel in both countries,
• The 83rd Separate Guards Airborne Assault Brigade in Ussuriysk, and
• The 5th Separate Spetsnaz Brigade in Maryina Horka, Belarus — a unit believed to have been disbanded in 2019 but showing activity in 2021.

SkyCloak’s infection chain begins with phishing ZIP archives uploaded from Belarus, dated between October 15 and October 21, 2025. The archives contain weaponized Windows LNK shortcut files disguised as military appointment or training documents — for example:

• ТЛГ на убытие на переподготовку.pdf.lnk (“Departure for retraining”)
• Исх №6626 Представление на назначение на воинскую должность.pdf.lnk (“Nomination for appointment to military position”)

When executed, these shortcuts trigger PowerShell commands that extract nested archives into directories such as:

• %APPDATA%\dynamicUpdatingHashingScalingContext
• %USERPROFILE%\Downloads\incrementalStreamingMergingSocket

These archives contain multiple executable files, DLLs, XML configurations, and decoy PDFs, which work together to establish persistence and initiate a hidden Tor-based communication channel.

The PowerShell script is designed with anti-sandbox checks to evade automated detection. It inspects system activity before proceeding — checking whether the “Recent” folder contains more than ten shortcut files and whether the active process count exceeds 50. If the environment appears legitimate, it proceeds to open a decoy document while running the malicious payload in the background.

“This is an anti-analysis check to evade sandbox environments and make sure there’s normal user activity,” SEQRITE explained.

The script then creates mutexes to prevent multiple executions, sets up Windows Scheduled Tasks for persistence, and builds the attacker’s onion address dynamically from concatenated strings. Once Tor initializes, the system registers itself via a beacon formatted as <username>:<onion-address>:3-yeeifyem or <username>:<onion-address>:2-lrwkymi, maintaining stealthy communication through Tor SOCKS on port 9050.

SEQRITE’s analysis revealed that the attackers deployed legitimate OpenSSH binaries within the user’s profile directories — renamed as githubdesktop.exe, googlemaps.exe, pinterest.exe, and googlesheets.exe — to host SSH, SFTP, RDP, and SMB services over Tor.

“This confirms that the attacker deploys a self-contained OpenSSH server inside a user’s profile directory using Tor, likely for stealth remote administration and post-exploitation persistence,” SEQRITE noted.

Configuration files specify a non-standard port (20321) and public-key-only authentication, with all communications tunneled through obfs4 bridges — a pluggable transport protocol designed to disguise Tor traffic and bypass censorship systems.
The malware exposes multiple hidden services, including:

• Port 20322 → SSH
• Port 11435 → SMB
• Port 13893 → RDP
• Port 12192 & 14763 → Custom backdoors

The use of renamed obfs4proxy executables (confluence.exe, rider.exe) and custom Tor bridges hosted in Germany, France, and Poland indicates deliberate network compartmentalization for anonymity.

The campaign’s hidden service, yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd[.]onion, has been linked to Tor bridge IPs hosted in Germany, France, Poland, and Canada. SEQRITE observed traffic patterns consistent with Russian and neighboring country connections, confirming the targeting scope.

While attribution remains uncertain, SEQRITE assessed that “custom configurations for pluggable transport and SSHD are used in an attempt to evade network monitoring, and these attacks are targeted towards Russia and Belarus.” The analysts also noted that previous campaigns by APT44 (Sandworm) and APT28 (Fancy Bear) used Tor-based communication, though SkyCloak’s operational profile more closely resembles pro-Ukraine groups such as Angry Likho (Sticky Werewolf) and Awaken Likho (Core Werewolf).

“SkyCloak remains unattributed for now,” SEQRITE concluded, “but the campaign’s targeting and TTPs are consistent with Eastern European-linked espionage activity directed at defense and government sectors.”

Related Posts:

• A New Era for Windows: Microsoft’s Protocol Transforms OS into AI Agent Platform
• Tor Network Thwarts IP Spoofing Attack
• A New Bridge Between Worlds? Google’s Quick Share May Be Coming to iPhone
• Tor Meets Docker: Sophisticated Crypto-Mining Campaign Hijacks Misconfigured APIs
• Mozilla Confirms Active Attacks on Tor Browser via Firefox Vulnerability