Researchers from Cyble and Seqrite Labs have uncovered a targeted espionage operation, dubbed Operation SkyCloak, that focuses on defense and government networks in Russia and Belarus. The campaign blends a repurposed OpenSSH service, Tor hidden services, and obfs4 traffic obfuscation to establish stealthy, durable command-and-control (C2) channels and file transfer paths that are difficult to detect and disrupt.
Phishing-driven infection chain using LNK shortcuts and PowerShell
The intrusion begins with spear-phishing emails carrying military-themed lures and ZIP attachments. Upon extraction, victims encounter a second ZIP and a Windows LNK shortcut. Executing the shortcut launches a multi‑stage PowerShell dropper that retrieves and installs the toolset. Related archives were submitted to VirusTotal from Belarus in October 2025, suggesting active distribution in the region.
Anti-analysis checks mimic a live workstation
A key stage is a PowerShell stager designed to evade sandboxes and automated analysis. The script aborts if the system contains fewer than 10 recent LNK files or fewer than 50 running processes—a profile typical of lab VMs rather than active user workstations. After passing these checks, the stager writes the operators’ onion address (yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd[.]onion) to a file named hostname at C:\Users\<Username>\AppData\Roaming\logicpro\socketExecutingLoggingIncrementalCompiler, displays a plausible PDF decoy, and creates an autorun task githubdesktopMaintenance scheduled at logon and daily at 10:21.
Persistence and remote access via OpenSSH, Tor hidden services, and obfs4
The scheduled task launches logicpro/githubdesktop.exe—actually a renamed sshd.exe. With attacker‑controlled keys prepositioned in the logicpro directory, the adversary stands up an SSH service that doubles as an SFTP exfiltration and lateral movement channel. A second task executes logicpro/pinterest.exe, a customized Tor binary that creates a Tor hidden service and routes C2 through .onion addresses.
The operators enable obfs4, a Tor pluggable transport that camouflages Tor traffic to defeat DPI-based detection and censorship. They also configure port forwarding for RDP, SSH, and SMB, giving resilient remote access to core services while preserving anonymity. Once online, the malware fingerprints the host, generates a unique onion hostname for tracking, and posts details to attacker infrastructure using curl. With the target’s URL in hand, operators can administer the system over SSH, RDP, SFTP, and SMB—all proxied through Tor.
Attribution, tradecraft, and MITRE ATT&CK mapping
While attribution remains tentative, the tooling and regional focus suggest possible ties to Eastern Europe and the activity cluster UAC‑0125. The tradecraft aligns with MITRE ATT&CK techniques, including T1566.001 (Phishing: Attachments), T1204 (User Execution), T1059.001 (PowerShell), T1053.005 (Scheduled Task), T1021.004 (Remote Services: SSH), T1090 (Proxy/Tunneling), and T1041 (Exfiltration Over C2 Channel). Tor‑based C2 is consistent with prior espionage playbooks—such as the Turla ecosystem’s use of Tor hidden services for covert communications, documented by ESET and others—while obfs4 is widely recommended by the Tor Project for bypassing network blocks.
Detection guidance and defensive priorities for government and defense networks
SkyCloak underscores a broader shift toward legitimate tools and censorship‑resistant transports to sustain access. Email remains a common initial vector: Verizon’s 2024 DBIR notes social engineering is prominent in breaches, with phishing and pretexting driving a substantial share of incidents. Organizations should harden the entire chain from email to endpoint and network monitoring.
Strengthen email and attachment controls: apply layered scanning for ZIP and LNK, detonate documents in a sandbox, and enforce strict script execution policies.
Constrain PowerShell and monitor LNK behavior: use Constrained Language Mode, allow only signed scripts, and alert on LNKs invoking PowerShell or unusual arguments.
Audit persistence: routinely review Scheduled Tasks; creations like githubdesktopMaintenance or unknown binaries under user profiles (e.g., logicpro\githubdesktop.exe, logicpro\pinterest.exe) warrant immediate investigation.
Network analytics for Tor/obfs4: baseline egress, flag long‑lived outbound sessions, detect obfuscated TLS handshakes indicative of pluggable transports, and block unauthorized tunnels. Segment and restrict access to RDP/SMB/SSH and enforce just‑in‑time access.
Key and service inventory: detect unauthorized SSH services and pre‑placed keys; harden host configurations and privileged accounts to reduce blast radius.
Operation SkyCloak illustrates how adversaries combine familiar utilities (OpenSSH, curl) with Tor hidden services and obfs4 to evade controls and persist in sensitive environments. By tightening email defenses, enforcing restrictive PowerShell policies, auditing Scheduled Tasks, and deploying behavioral network detection for Tor and covert tunnels, security teams can reduce dwell time and disrupt similar campaigns. Regular phishing exercises, robust execution controls, and proactive threat hunting should be prioritized across critical infrastructure and defense sectors.
