A spear-phishing campaign aimed to compromise Russian and Belarusian military personnel by using military-themed documents as a lure has been flagged by Cyble and Seqrite security researchers.
The goal of the campaign is to get targets to download and open a booby-trapped LNK file masquerading as a PDF, ultimately leading to a complete system compromise.
The spear-phishing campaign
The campaign spotted by Cyble Research and Intelligence Labs (CRIL) in October 2025 used a weaponized ZIP archive masquerading as a military document titled “ТЛГ на убытие на переподготовку.pdf.lnk” (TLG for departure for retraining.pdf).
The LNK (Windows shortcut) file launches PowerShell and executes a script, which starts a content extraction and execution chain that will be prematurely terminated only if the script detects itself running in a sandbox/automated analysis environment.
If it’s not, it will trigger the opening of the decoy PDF and in the background it:
- Establishes persistence via a scheduled task mechanism
- Runs a legitimate OpenSSH for Windows binary, configured to establish an SSH service that listens on port 20321 bound to localhost (127.0.0.1), which can be used only via RSA key-based authentication (i.e., only by the threat actor who has the corresponding private key)
- Establishes a Tor hidden service (.onion address) and implements port forwarding for multiple critical Windows services (RDP, SFTP, SMB), so that the threat actor can have full interactive desktop access, exfiltrate documents or deploy additional malware, and attempt lateral movement
Seqrite Labs uncovered another “prong” of the same campaign, using as a lure a letter for sent by an acting commander of a Russian military unit to the Chief of Russian Airborne Forces (VDV): “Исх №6626 Представление на назначение на воинскую должность.pdf.lnk” (Ref. No. 6626 Nomination for appointment to military position.pdf.lnk).
The infection chain (Source: Seqrite Labs)
Who launched this attack campaign?
The targets of the campaign were military personnel in the Russian Airborne Forces and Belarusian Special Forces specializing in UAV (drone) operations.
Cyble researchers noted this campaign’s similarities with a previous one aimed at compromising Ukrainian targets and confidently tied to the Russian Sandworm team, but said that they can’t attribute the campaign at this stage.
Seqrite researchers pointed out that while Russian-linked APT44 (Sandworm) and APT28 have been previously observed to use Tor to communicate with onion domain, in this campaign the attackers used custom configurations for pluggable transport and SSHD and targeted Russian and Belarusian targets.
“Similar targeting has been observed to be conducted by pro-Ukraine APTs Angry Likho (Sticky Werewolf) and Awaken Likho (Core Werewolf) but [this latest campaign] remains unattributed for now,” they concluded.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
