Sophisticated Cyber Attack Targets Defense Personnel with SSH-Tor Backdoor
In October 2025, cybersecurity researchers at Cyble Research and Intelligence Labs identified a highly sophisticated cyber attack aimed at defense sector personnel. This campaign utilized weaponized military documents to deploy an advanced SSH-Tor backdoor, granting attackers anonymous access to compromised systems.
Delivery Mechanism:
The attack began with a ZIP archive masquerading as a Belarusian military document titled ТЛГ на убытие на переподготовку.pdf (translated as TLG for departure for retraining). This file was specifically designed to entice Special Operations Command personnel specializing in unmanned aerial vehicle operations.
Technical Execution:
Upon extraction, the ZIP archive revealed an LNK file that appeared to be a legitimate PDF document. Accompanying this was a hidden directory named FOUND.000, containing another archive titled persistentHandlerHashingEncodingScalable.zip. When the LNK file was executed, it triggered embedded PowerShell commands that extracted the nested archive to the %appdata%\logicpro directory and retrieved obfuscated PowerShell content for execution.
Evasion Techniques:
The malware incorporated several anti-analysis checks to evade detection. It verified the presence of at least 10 recent LNK files and ensured the process count exceeded 50—conditions unlikely to be met in sandbox environments. If these conditions were not satisfied, the malware terminated execution, thereby avoiding detection in automated analysis systems.
Persistence and Backdoor Deployment:
After passing the validation checks, the malware displayed a decoy PDF to maintain the illusion of legitimacy. Simultaneously, it established persistence by configuring scheduled tasks to execute at logon and daily at 10:21 AM UTC. This ensured continuous access to the compromised system.
The backdoor deployed OpenSSH for Windows alongside a customized Tor hidden service featuring obfs4 traffic obfuscation. This combination allowed threat actors to anonymously access SSH, RDP, SFTP, and SMB protocols on the infected systems. Researchers confirmed the backdoor’s operational functionality by successfully connecting via SSH, though no secondary payloads or post-exploitation actions were observed during the analysis.
Attribution:
Analysis suggests a moderate confidence alignment with UAC-0125/Sandworm (APT44), a Russian-linked advanced persistent threat group known for targeting Ukrainian military and critical infrastructure since 2013. The tactical patterns, infrastructure overlaps, and operational methodologies mirror previous campaigns, indicating a continuous refinement of attack techniques by this group.
Implications:
This attack underscores the evolving nature of state-sponsored cyber espionage, combining social engineering with advanced technical measures to establish persistent access to sensitive systems. The use of legitimate tools like OpenSSH and Tor, coupled with sophisticated evasion techniques, highlights the need for robust cybersecurity measures and continuous vigilance within defense sectors.
Recommendations:
1. User Awareness and Training: Educate personnel on recognizing phishing attempts and the risks associated with opening unsolicited attachments, even if they appear legitimate.
2. Endpoint Detection and Response (EDR): Implement advanced EDR solutions capable of detecting and responding to suspicious activities, including unusual PowerShell executions and unauthorized scheduled tasks.
3. Regular System Audits: Conduct frequent audits to identify unauthorized software installations, unexpected scheduled tasks, and other indicators of compromise.
4. Network Monitoring: Utilize network monitoring tools to detect anomalous outbound connections, especially those associated with Tor networks, which may indicate unauthorized remote access.
5. Patch Management: Ensure all systems are up-to-date with the latest security patches to mitigate vulnerabilities that could be exploited by attackers.
By adopting these measures, organizations can enhance their defense against sophisticated cyber threats and protect sensitive information from unauthorized access.
