A sophisticated campaign targeting military personnel across Russia and Belarus has emerged, deploying a complex multi-stage infection chain that establishes covert remote access through Tor-based infrastructure.
Operation SkyCloak represents a stealth-oriented intrusion effort aimed at the Russian Airborne Forces and Belarusian Special Forces, utilizing legitimate OpenSSH binaries and obfs4 bridges to mask communication channels while maintaining persistence on compromised systems.
The attack begins with phishing archives containing shortcut files disguised with double extensions, masquerading as official military documents.
The first lure mimics a nomination letter from Military Unit 71289, referencing the 83rd Separate Guards Airborne Assault Brigade stationed in Ussuriysk.
The second decoy targets Belarusian Special Forces personnel with training notifications for Military Unit 89417, the 5th Separate Spetsnaz Brigade located near Minsk.
These carefully crafted documents were weaponized in late September 2025, with archive files uploaded from Belarus between October 15 and October 21.
Once executed, the shortcut files trigger PowerShell commands that initiate a sophisticated dropper mechanism.
The malware extracts nested archive files into directories with cryptic naming schemes such as %APPDATA%dynamicUpdatingHashingScalingContext and %USERPROFILE%DownloadsincrementalStreamingMerging.
The multi-stage extraction process deploys payloads into hidden folders including $env:APPDATAlogicpro or $env:APPDATAreaper, containing multiple executables, XML configuration files, decoy PDFs, and supporting DLLs.
.webp "New Operation SkyCloak Uses Powershell Tools and Hidden SSH Service to Unblock Traffic 3")
Seqrite analysts identified this campaign as part of a broader pattern of operations targeting Russian defense infrastructure, noting similarities to previous attacks such as HollowQuill and CargoTalon.
The researchers observed that the malware employs sophisticated anti-analysis techniques to evade sandbox detection, including checks for legitimate user activity by verifying the presence of more than ten shortcut files in the Windows Recent folder and ensuring process counts exceed 50 before proceeding with execution.
PowerShell Execution and Persistence Mechanisms
The PowerShell stage implements multiple evasion and persistence tactics to ensure long-term access to compromised systems.
The script creates a mutex to prevent multiple instances from running simultaneously, then registers scheduled tasks through XML configuration files that establish daily execution triggers starting at 2025-09-25T01:41:00-08:00.
These tasks are configured to run hidden, even when the computer is idle, without network connectivity, and with no execution time limits.
The malware deploys legitimate “OpenSSH for Windows” binaries compiled on December 13, 2023, including githubdesktop.exe and googlemaps.exe as SSH daemons, along with ssh-shellhost.exe for interactive sessions and libcrypto.dll for encryption functions.
Configuration files specify non-standard port 20321 for SSH services, disable password authentication, and require public key authentication using files with obfuscated names like redundantOptimizingInstanceVariableLogging and incrementalMergingIncrementalImmutableProtocol.
The campaign exposes multiple services through Tor hidden services, including SSH on port 20322, SMB on port 11435, RDP on port 13893, and additional custom ports.
Communication occurs through obfs4 pluggable transports using binaries named confluence.exe and rider.exe, which connect to bridge endpoints at 77.20.116.133:8080 and 156.67.24.239:33333.
The malware generates identification beacons formatted as yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd.onion to become available before establishing persistent communication channels.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
