In October 2025, threat researchers at Cyble Research and Intelligence Labs uncovered a sophisticated cyber attack leveraging weaponized military documents to distribute an advanced SSH-Tor backdoor targeting defense sector personnel.
The campaign centers on a deceptively simple delivery mechanism: a ZIP archive disguised as a Belarusian military document titled “ТЛГ на убытие на переподготовку.pdf” (TLG for departure for retraining), specifically designed to lure Special Operations Command personnel specializing in unmanned aerial vehicle operations.
The attack represents a significant evolution in state-sponsored cyber espionage techniques, combining social engineering with sophisticated technical countermeasures to establish persistent backdoor access.
Cyble analysts identified that the malware deploys OpenSSH for Windows alongside a customized Tor hidden service featuring obfs4 traffic obfuscation, granting threat actors anonymous access to SSH, RDP, SFTP, and SMB protocols on compromised systems.
The researchers successfully connected via SSH to confirm the backdoor’s operational functionality, though no secondary payloads or post-exploitation actions were observed at the time of analysis.
Threat attribution analysis suggests moderate confidence alignment with UAC-0125/Sandworm (APT44), a Russian-linked advanced persistent threat group known for targeting Ukrainian military and critical infrastructure since 2013.
.webp "Hackers Deliver SSH-Tor Backdoor Via Weaponized Military Documents in ZIP Files 3")
The tactical patterns, infrastructure overlaps, and operational methodologies mirror the December 2024 Army+ campaign, demonstrating Sandworm’s continuous refinement of proven attack techniques.
Multi-Stage Infection Mechanism and Evasion Strategy
The attack chain employs nested ZIP archives and LNK file disguises to bypass automated detection systems with remarkable sophistication.
Upon extraction, victims encounter an LNK file appearing as a legitimate PDF alongside a hidden directory named “FOUND.000” containing an additional archive titled “persistentHandlerHashingEncodingScalable.zip.”
.webp "Hackers Deliver SSH-Tor Backdoor Via Weaponized Military Documents in ZIP Files 4")
When the victim attempts opening what appears to be a PDF document, the LNK file executes embedded PowerShell commands, extracting the nested archive to the %appdata%logicpro directory and retrieving obfuscated PowerShell content for execution.
Cyble analysts identified critical anti-analysis checks embedded within the second-stage PowerShell script. The malware validates that at least 10 recent LNK files exist on the system and confirms the process count exceeds 50—thresholds rarely met in sandbox environments.
This environmental awareness mechanism terminates execution in automated analysis systems while proceeding on genuine user workstations.
Following validation, the script displays a decoy PDF to maintain the illusion of legitimacy while establishing persistence through scheduled tasks configured to execute at logon and daily at 10:21 AM UTC, ensuring continuous access to the compromised infrastructure.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
