Threat actors use Tor-enabled OpenSSH backdoor in attacks on Russia and Belarus

Threat actors are distributing weaponized attachments via phishing e-mails to deliver a persistent backdoor that leverages OpenSSH and a customized Tor hidden service in a campaign they say appears to target defense and government organizations in Russia and Belarus.

The campaign was spotted by security vendor Seqrite Labs, which has dubbed the activity “Operation SkyCloak.” The campaign begins with phishing messages that lure recipients with purported military documents. The messages contain a ZIP file that contains a second archive with a Windows shortcut (LNK). Opening the LNK triggers a multi-stage infection chain that uses PowerShell as the initial dropper. The researchers said that related archive files were uploaded from Belarus to VirusTotal in October 2025.

An intermediate PowerShell stager performs anti-analysis checks verifying, for example, that at least 10 recent LNK files exist on the host and that the system is running at least 50 processes before proceeding. If those checks fail the script aborts in order to evade sandboxes and automated analysis environments. When checks pass, the malware displays a decoy PDF and sets up persistence.

Persistence is implemented via scheduled tasks named “githubdesktopMaintenance” (which runs a renamed OpenSSH binary logicpro/githubdesktop.exe) and a second task that launches a customized Tor binary logicpro/pinterest.exe. The latter creates a hidden service that uses obfs4 for traffic obfuscation and connects to an attacker-controlled .onion address, allowing the actor to route SSH, RDP, SFTP and SMB traffic through the Tor network. The campaign also writes the victim’s unique .onion hostname to a file and exfiltrates system information after the connection is established.

Cybersecurity firm Cyble that has also observed this campaign, assessed with medium confidence that the activity shares tactical overlaps with a previously tracked Eastern European espionage operation (tracked by Ukrainian cybersecurity authorities as UAC-0125). Neither vendor attributed the activity to a particular nation-state, but both described the TTPs and target profile as consistent with Eastern European-linked espionage against defense and government sectors.


Back to the list

Latest Posts

Major crypto exchanges fail to curb illicit money flow despite supervision

Investigators collected hundreds of crypto wallet addresses linked to North Korean cybercrime groups, Russian money launderers and large-scale scam operations.
18 November 2025

New EVALUSION campaign uses ClickFix tactics to deliver Amatera Stealer and NetSupport RAT

The campaign attempts to trick users into running malicious commands via the Windows Run dialog under the guise of completing a reCAPTCHA verification.
18 November 2025

Google releases emergency patch actively exploited Chrome zero-day

Tracked as CVE-2025-13223, the flaw stems from a type-confusion issue within Chrome’s V8 JavaScript engine.
18 November 2025
Popular Posts
Featured vulnerabilities
Insufficient protection against XSS attacks in Kaspersky Endpoint Security for Linux and Mac
Low Patched | 18 Nov, 2025
Multiple vulnerabilities in Dell ControlVault3 and ControlVault3 Plus
Low Patched | 18 Nov, 2025
Cross-site scripting in Kirby
Low Patched | 18 Nov, 2025
Multiple vulnerabilities in D-Link DIR-878
High Not Patched | 18 Nov, 2025
Improper input validation in IBM Sterling Transformation Extender
High Patched | 18 Nov, 2025