Operation SkyCloak: Unveiling the Stealthy Cyber Campaign Targeting Military Forces
A sophisticated cyber espionage campaign, dubbed Operation SkyCloak, has been identified, targeting military personnel in Russia and Belarus. This operation employs a multi-stage infection chain, utilizing PowerShell tools and concealed SSH services to establish covert remote access via Tor-based infrastructure.
Initial Attack Vector: Phishing with Military-Themed Lures
The campaign initiates with phishing emails containing archive files that house shortcut files disguised with double extensions, masquerading as official military documents. These lures are meticulously crafted to appear legitimate:
– Russian Target: A nomination letter from Military Unit 71289, referencing the 83rd Separate Guards Airborne Assault Brigade stationed in Ussuriysk.
– Belarusian Target: Training notifications for Military Unit 89417, the 5th Separate Spetsnaz Brigade located near Minsk.
These deceptive documents were weaponized in late September 2025, with archive files uploaded from Belarus between October 15 and October 21.
Execution and Payload Deployment
Upon execution, the shortcut files trigger PowerShell commands that initiate a sophisticated dropper mechanism. The malware extracts nested archive files into directories with cryptic naming schemes such as `%APPDATA%\dynamicUpdatingHashingScalingContext` and `%USERPROFILE%\Downloads\incrementalStreamingMerging`. This multi-stage extraction process deploys payloads into hidden folders, including `$env:APPDATA\logicpro` or `$env:APPDATA\reaper`, containing multiple executables, XML configuration files, decoy PDFs, and supporting DLLs.
Anti-Analysis Techniques
To evade detection, the malware employs sophisticated anti-analysis techniques:
– User Activity Verification: Checks for legitimate user activity by verifying the presence of more than ten shortcut files in the Windows Recent folder.
– Process Count Validation: Ensures process counts exceed 50 before proceeding with execution.
These measures help the malware avoid sandbox detection and analysis environments.
PowerShell Execution and Persistence Mechanisms
The PowerShell stage implements multiple evasion and persistence tactics to ensure long-term access to compromised systems:
– Mutex Creation: Prevents multiple instances from running simultaneously.
– Scheduled Tasks Registration: Registers scheduled tasks through XML configuration files that establish daily execution triggers starting at 2025-09-25T01:41:00-08:00. These tasks are configured to run hidden, even when the computer is idle, without network connectivity, and with no execution time limits.
Deployment of Legitimate OpenSSH Binaries
The malware deploys legitimate OpenSSH for Windows binaries compiled on December 13, 2023, including `githubdesktop.exe` and `googlemaps.exe` as SSH daemons, along with `ssh-shellhost.exe` for interactive sessions and `libcrypto.dll` for encryption functions. Configuration files specify non-standard port 20321 for SSH services, disable password authentication, and require public key authentication using files with obfuscated names like `redundantOptimizingInstanceVariableLogging` and `incrementalMergingIncrementalImmutableProtocol`.
Tor-Based Communication and Obfuscation
The campaign exposes multiple services through Tor hidden services, including SSH on port 20322, SMB on port 11435, RDP on port 13893, and additional custom ports. Communication occurs through obfs4 pluggable transports using binaries named `confluence.exe` and `rider.exe`, which connect to bridge endpoints at 77.20.116.133:8080 and 156.67.24.239:33333. The malware generates identification beacons formatted as `
Implications and Recommendations
Operation SkyCloak represents a significant advancement in cyber espionage tactics, combining sophisticated evasion techniques with legitimate tools to establish persistent access to high-value targets. The use of PowerShell scripts, legitimate OpenSSH binaries, and Tor-based communication channels underscores the need for robust cybersecurity measures, including:
– User Education: Training personnel to recognize and report phishing attempts.
– Endpoint Detection and Response (EDR): Implementing solutions capable of detecting and mitigating fileless malware and PowerShell-based attacks.
– Network Monitoring: Monitoring for unusual network traffic patterns, especially those involving non-standard ports and Tor connections.
– Regular Updates: Ensuring all software and systems are up-to-date with the latest security patches.
By understanding the tactics employed in Operation SkyCloak, organizations can better prepare and defend against similar sophisticated cyber threats.
