In October 2025, cybersecurity researchers at Cyble Research and Intelligence Labs (CRIL) uncovered a sophisticated malware campaign distributing weaponized ZIP archives disguised as military documents.
The attack specifically targeted Belarusian military personnel through a lure document titled “ТЛГ на убытие на переподготовку.pdf” (TLG for departure for retraining.pdf), with evidence suggesting the operation focused on collecting intelligence about regional military capabilities, particularly Special Operations Command personnel specializing in unmanned aerial vehicle and drone operations.
This multi-stage attack represents a significant evolution in cyber espionage techniques, employing advanced evasion methods including double file extensions, anti-sandbox validation checks, and obfuscated PowerShell execution to establish persistent backdoor access on targeted systems.
The malware deploys a complex infrastructure combining OpenSSH for Windows with a customized Tor hidden service featuring obfs4 traffic obfuscation, providing threat actors with anonymous remote access via SSH, RDP, SFTP, and SMB protocols.
Advanced Evasion Techniques
The attack notes nested ZIP archives, LNK file disguises, and anti-sandbox checks specifically designed to bypass automated detection systems.
Before executing its payload, the malware validates system characteristics by checking for at least ten recent LNK files and a minimum of fifty running processes—conditions typically absent in sandbox environments but present on genuine user machines.
First, Powershell utilizes the Expand-Archive command to extract the contents of “persistentHandlerHashingEncodingScalable.zip” from the Downloads folder into the %appdata%logicpro directory.
This validation ensures the malware terminates in analysis environments while proceeding with infection on legitimate workstations.
The implementation of obfs4 pluggable transport represents a major technical advancement, effectively disguising Tor traffic as normal network activity and making detection significantly more challenging compared to standard Tor protocols used in previous campaigns.
Through concealed Tor services, attackers gain access to multiple protocols including SSH, RDP, SFTP, and SMB, enabling full system control while preserving anonymity.
All communications are directed through anonymous onion addresses using pre-installed cryptographic RSA keys, eliminating the need for on-the-fly key generation that could trigger security alerts.
The tactics, techniques, and procedures employed in this attack closely align with Sandworm (also known as APT44 and UAC-0125), a Russian-linked advanced persistent threat group.
However, researchers emphasize that without an established targeting pattern, high-confidence attribution cannot be confirmed at this stage.
The broader context aligns with intelligence reporting from Ukraine’s CERT-UA and SSSCIP, which documented over 3,000 cyber incidents in the first half of 2025, many leveraging AI-generated phishing content and increasingly sophisticated malware.
Based on tactical patterns, overlapping infrastructure, and its evolution from the December 2024 Army+ campaign, this attack demonstrates continuous improvement of proven techniques associated with Sandworm’s Unit 74455.
Since 2013, this unit has conducted numerous cyberattacks against Ukraine’s military and critical infrastructure, including the BlackEnergy attacks causing power outages in 2015, the large-scale NotPetya malware outbreak in 2017, and the 2023 breach of Kyivstar, Ukraine’s largest telecommunications provider.
The December 2024 Army+ fake installer campaign serves as a direct precursor, involving malicious NSIS installers distributed through fake Cloudflare Workers sites that deployed PowerShell scripts to create hidden SSH access via Tor.
The current threat shows tactical improvements over previous operations, including the addition of obfs4 for enhanced secure Tor communication, implementation of scheduled tasks for reliable persistence, and strategic use of pre-generated RSA keys to minimize detection risk and operational footprint.
Multi-Protocol Access Framework
The infection chain begins when victims extract the malicious ZIP archive and encounter an LNK file disguised as a PDF document alongside a hidden directory containing additional payloads.
Upon opening what appears to be a legitimate military document, the LNK file triggers PowerShell commands that extract files into the system’s AppData directory and execute a second-stage script.
This script displays a decoy PDF showing an authentic-looking Russian-language military order dated October 16, 2025, from military unit B/4 89417 in the Minsk Oblast, demonstrating the threat actor’s understanding of military operations and administrative procedures.
While victims review the decoy document, the malware establishes persistence through two scheduled tasks.
The first deploys an OpenSSH service using a Microsoft-signed binary disguised as legitimate software, listening on port 20321 with strict RSA key-based authentication.
The second task establishes a Tor hidden service with port forwarding for multiple Windows services, including SSH on port 20322, SMB file sharing on port 11435, and Remote Desktop Protocol on port 13893.
PuTTY was configured with the localhost SOCKS5 proxy settings, and the extracted RSA private key was converted to PPK format using PuTTYgen for authentication.
After establishing the hidden service, the malware constructs a unique onion URL identifying the compromised system and exfiltrates it to command-and-control infrastructure using curl with aggressive retry logic.
CRIL researchers successfully connected via SSH to confirm backdoor functionality, though no secondary payloads or post-exploitation actions were observed during monitoring, suggesting the operation remains in reconnaissance or surveillance phases before active exploitation.
Defense teams should focus on analyzing endpoint behavior, monitoring process execution chains, and auditing scheduled tasks, as the obfs4-obfuscated Tor communications make network-based detection significantly more challenging.
Military units and defense sector organizations remain particularly vulnerable to social engineering attacks utilizing realistic military documents, emphasizing the need for enhanced security awareness training and endpoint detection capabilities.
Indicators of Compromise
| Indicator Type | Description |
|---|---|
| SHA-256 | 30a5df544f4a838f9c7ce34377ed2668e0ba22cc39d1e26b303781153808a2c4 – Zip archive |
| SHA-256 | 99ec6437f74eec19e33c1a0b4ac8826bcc44848f87cd1a1c2b379fae9df62de9 – LNK file |
| SHA-256 | 7269b4bc6b3036e5a2f8c2a7908a439202cee9c8b9e50b67c786c39f2500df8f – Powershell script |
| SHA-256 | 5d3a6340691840d1a87bfab543faec77b4a9d457991dd938834de820a99685f7 – ТЛГ на убытие на переподготовку.pdf– Decoy |
| SHA-256 | 08db5bb9812f49f9394fd724b9196c7dc2f61b5ba1644da65db95ab6e430c92b – obfs4proxy.exe (confluence.exe) – Not malware |
| SHA-256 | a0eed0e1ef8fc4129f630e6f68c29c357c717df0fe352961e92e7f8c93e5371b – SFTP (ebay.exe) – Not malware |
| SHA-256 | 710e8c96875d6a3c1b4f08f4b2094c800658551065b20ef3fd450b210dcc7b9a – OpenSSH for Windows sshd.exe (githubdesktop.exe) – Not malware |
| SHA-256 | 7946a2275c1c232eebed6ead95ea4723285950175586db1f95354b910b0a3cce – pinterest.exe – Not malware |
| Domain | yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd.onion |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
