"the campaign is designed to deploy a persistent backdoor on compromised hosts that uses OpenSSH in conjunction with a customized Tor hidden service that employs obfs4 for traffic obfuscation. The activity has been codenamed Operation SkyCloak by Seqrite, stating the phishing emails utilize lures related to military documents to convince recipients into opening a ZIP file containing a hidden folder with a second archive file, along with a Windows shortcut (LNK) file, which, when opened, triggers the multi-step infection chain."
"a PowerShell stager that's responsible for running anti-analysis checks to evade sandbox environments, as well as writing a Tor onion address ("yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd[.]onion" to a file named "hostname" in the "C:\Users\<Username>\AppData\Roaming\logicpro\socketExecutingLoggingIncrementalCompiler\" location. As part of its analysis checks, the malware confirms that the number of recent LNK files present on the system is greater than or equal to 10 and verifies that the current process count exceeds or equals 50. If either of the conditions is not met, the PowerShell abruptly ceases execution."
Threat actors use weaponized attachments in phishing emails to deliver malware likely targeting the defense sector in Russia and Belarus. The activity is codenamed Operation SkyCloak and installs a persistent backdoor leveraging OpenSSH paired with a customized Tor hidden service that uses obfs4 for traffic obfuscation. Phishing lures related to military documents deliver ZIP archives containing a hidden folder, a secondary archive, and a Windows shortcut (LNK) that triggers a multi-step PowerShell infection chain. A PowerShell stager performs anti-analysis checks, writes a Tor onion address to a hostname file under AppData, and aborts execution if LNK or process count thresholds are not met. Archive files were uploaded from Belarus to VirusTotal in October 2025.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]