Executive Summary

Operation SkyCloak is an advanced, ongoing cyber-espionage campaign targeting defense and military sectors, with a primary focus on organizations in Eastern Europe, notably Belarus and Russia. The operation employs highly targeted phishing emails containing military-themed lure documents to deliver a persistent, Tor-enabled OpenSSH backdoor. This backdoor leverages a legitimate, signed OpenSSH for Windows binary, combined with a custom Tor hidden service and obfs4 pluggable transport for traffic obfuscation, enabling attackers to maintain covert, anonymous access to compromised systems via SSH, RDP, SFTP, and SMB protocols.

The technical sophistication of Operation SkyCloak is evident in its multi-stage infection chain, anti-analysis mechanisms, and advanced persistence strategies. The campaign is attributed with moderate confidence to the Russian-linked Sandworm group (APT44/UAC-0125), based on strong tactical overlaps and infrastructure reuse. The threat actors demonstrate a deep understanding of both operational security and Windows internals, making detection and remediation particularly challenging for targeted organizations.

Threat Actor Profile

The threat actor behind Operation SkyCloak exhibits hallmarks consistent with the Sandworm group, also known as APT44 or UAC-0125, a unit of the Russian GRU (Unit 74455). This group is notorious for high-impact cyber operations, including the 2015 and 2016 Ukrainian power grid attacks, the NotPetya ransomware outbreak, and multiple campaigns targeting critical infrastructure and military assets across Europe.

Sandworm is characterized by its use of custom malware, living-off-the-land techniques, and a preference for leveraging legitimate software to evade detection. The group’s operations are typically aligned with Russian strategic interests, focusing on intelligence collection, disruption, and long-term access to sensitive networks. In Operation SkyCloak, the use of OpenSSH for Windows and Tor for command and control (C2) communications reflects a deliberate effort to blend malicious activity with legitimate network traffic, complicating attribution and response efforts.

Technical Analysis of Malware/TTPs

Operation SkyCloak employs a multi-stage infection chain designed to maximize stealth and persistence while minimizing the risk of detection.

The initial access vector is a weaponized ZIP archive, often named to mimic official military documents (e.g., “ТЛГ на убытие на переподготовку.pdf”). This archive contains a LNK (Windows shortcut) file with a double extension to masquerade as a PDF, and a hidden directory (“FOUND.000”) housing a secondary ZIP archive. When the user opens the LNK file, embedded PowerShell commands are executed, extracting the secondary ZIP to %appdata%\logicpro and launching further obfuscated PowerShell code from files such as adaptiveOptimizingDeployingDecodingEncrypting.

To evade automated analysis and sandboxes, the script checks for the presence of at least 10 recent LNK files and 50 running processes, halting execution if these conditions are not met. This anti-analysis technique ensures the payload only executes in real user environments.

Upon successful execution, a decoy PDF is displayed to the user to minimize suspicion. Persistence is established via a scheduled task named githubdesktopMaintenance, configured to run at user logon and daily at 10:21 UTC. This task launches logicpro/githubdesktop.exe, a legitimate OpenSSH for Windows binary (signed by Microsoft, compilation timestamp 2023-12-13), which listens for SSH connections on localhost:20321 and only accepts authentication via pre-deployed RSA keys. The SFTP subsystem is enabled through a renamed binary (ebay.exe).

A second scheduled task runs logicpro/pinterest.exe, a custom Tor binary, which sets up a hidden service exposing SSH (20322), SMB (11435), and RDP (13893) ports, all tunneled to their respective local services. The obfs4 pluggable transport (confluence.exe) is used to obfuscate Tor traffic, leveraging entry bridges at 77.20.116.133:8080 and 156.67.24.239:33333 to bypass network restrictions and detection.

For command and control, the malware exfiltrates system information and the unique .onion hostname via curl over the Tor SOCKS5 proxy. The attacker receives the .onion URL and uses pre-generated RSA keys to access the compromised system through the Tor network, ensuring both anonymity and encrypted communications.

No evidence has been found of exploitation of a specific OpenSSH vulnerability (such as CVE-2024-6387); instead, the attackers rely on the covert deployment and configuration of legitimate binaries.

Exploitation in the Wild

Operation SkyCloak has been observed in the wild since at least October 2025, with multiple samples uploaded to VirusTotal from Belarus. Security researchers at Cyble and Seqrite Labs have confirmed the full functionality of the backdoor by establishing SSH connections to test systems using the extracted RSA keys and Tor SOCKS5 proxy. The campaign appears to be in the reconnaissance or initial access phase, as no secondary payloads or evidence of lateral movement have been detected at the time of analysis.

The targeting of military and defense organizations, particularly those involved in UAV/drone operations, suggests a focus on intelligence collection and long-term access rather than immediate disruption or data theft. The use of military-themed lure documents and the careful selection of victims indicate a high degree of operational planning and targeting precision.

Victimology and Targeting

The primary victims of Operation SkyCloak are defense, military, and government organizations in Belarus, with possible spillover into Russia and other Eastern European countries. The campaign specifically targets individuals involved in UAV/drone operations and special operations command, as evidenced by the content of the lure documents and the timing of the attacks.

The selection of targets aligns with the strategic interests of the Sandworm group and the broader objectives of Russian state-sponsored cyber operations. The use of highly tailored phishing emails and the deployment of a persistent, covert backdoor suggest a focus on long-term intelligence gathering and network penetration rather than opportunistic attacks.

Mitigation and Countermeasures

To defend against Operation SkyCloak and similar threats, organizations should implement a multi-layered security strategy:

Email security controls should be configured to block nested ZIP archives and files with double extensions, and users should be trained to verify the authenticity of military-themed documents before opening them. Endpoint detection solutions must monitor for PowerShell execution originating from LNK files, the creation of scheduled tasks in user directories, and the execution of binaries from %appdata%.

Network controls should be enforced to block Tor and obfs4 traffic, and security teams should monitor for connections to known Tor bridges and .onion addresses. SSH key management is critical; organizations should audit for unauthorized OpenSSH installations, non-standard SSH ports, and the presence of new or unknown authorized_keys files.

Scheduled task auditing should be enabled to alert on the creation of new tasks running from user directories or with suspicious triggers. Regular threat hunting and behavioral monitoring are essential to detect and respond to advanced persistent threats that leverage legitimate software for malicious purposes.

References

• The Hacker News: Operation SkyCloak Deploys Tor-Enabled OpenSSH Backdoor Targeting Defense Sectors

• Cyble: Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor

• Seqrite Labs: Operation SkyCloak – Tor Campaign targets Military of Russia & Belarus

• CERT-UA: UAC-0125 Activity

• MITRE ATT&CK: Sandworm Team (G0034)

• VirusTotal: Sample Hashes

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools and intelligence to identify, assess, and mitigate cyber threats across their supply chain and digital ecosystem. Our platform empowers security teams to proactively manage risk, ensure compliance, and respond rapidly to emerging threats. For further technical details, threat intelligence, or incident response support, contact Rescana at ops@rescana.com.