New Operation Skycloak Uses Powershell Tools And Hidden Ssh Service...

A sophisticated campaign targeting military personnel across Russia and Belarus has emerged, deploying a complex multi-stage infection chain that establishes covert remote access through Tor-based infrastructure.

Operation SkyCloak represents a stealth-oriented intrusion effort aimed at the Russian Airborne Forces and Belarusian Special Forces, utilizing legitimate OpenSSH binaries and obfs4 bridges to mask communication channels while maintaining persistence on compromised systems.

The attack begins with phishing archives containing shortcut files disguised with double extensions, masquerading as official military documents.

The first lure mimics a nomination letter from Military Unit 71289, referencing the 83rd Separate Guards Airborne Assault Brigade stationed in Ussuriysk.

The second decoy targets Belarusian Special Forces personnel with training notifications for Military Unit 89417, the 5th Separate Spetsnaz Brigade located near Minsk.

These carefully crafted documents were weaponized in late September 2025, with archive files uploaded from Belarus between October 15 and October 21.

Once executed, the shortcut files trigger PowerShell commands that initiate a sophisticated dropper mechanism.

The malware extracts nested archive files into directories with cryptic naming schemes such as %APPDATA%\dynamicUpdatingHashingScalingContext and %USERPROFILE%\Downloads\incrementalStreamingMerging.

The multi-stage extraction process deploys payloads into hidden folders including $env:APPDATA\logicpro or $env:APPDATA\reaper, containing multiple executables, XML configuration files, decoy PDFs, and supporting DLLs.

Seqrite analysts identified this campaign as part of a broader pattern of operations targeting Russian defense infrastructure, noting similarities to previous attacks such as HollowQuill and CargoTalon.

Source: Cybersecurity News