Operation Skycloak Deploys Tor-enabled Openssh Backdoor Targeting...
Threat actors are leveraging weaponized attachments distributed via phishing emails to deliver malware likely targeting the defense sector in Russia and Belarus.
According to multiple reports from Cyble and Seqrite Labs, the campaign is designed to deploy a persistent backdoor on compromised hosts that uses OpenSSH in conjunction with a customized Tor hidden service that employs obfs4 for traffic obfuscation.
The activity has been codenamed Operation SkyCloak by Seqrite, stating the phishing emails utilize lures related to military documents to convince recipients into opening a ZIP file containing a hidden folder with a second archive file, along with a Windows shortcut (LNK) file, which, when opened, triggers the multi-step infection chain.
"They trigger PowerShell commands which act as the initial dropper stage where another archive file besides the LNK is used to set up the entire chain," security researchers Sathwik Ram Prakki and Kartikkumar Jivani said, adding the archive files were uploaded from Belarus to the VirusTotal platform in October 2025.
One such intermediate module is a PowerShell stager that's responsible for running anti-analysis checks to evade sandbox environments, as well as writing a Tor onion address ("yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd[.]onion" to a file named "hostname" in the "C:\Users\
As part of its analysis checks, the malware confirms that the number of recent LNK files present on the system is greater than or equal to 10 and verifies that the current process count exceeds or equals 50. If either of the conditions is not met, the PowerShell abruptly ceases execution.
"These checks serve as environmental awareness mechanisms, as sandbox environments typically exhibit fewer user-generated shortcuts and reduced process activity compared to genuine user workstations," Cyble said.
Once these environmental checks are satisfied, the script proceeds to display a PDF decoy document stored in the aforementioned "logicpro" folder, while setting up persistence on the machine using a scheduled task under the name "githubdesktopMaintenance" that runs automatically after user logon and runs at regular intervals every day at 10:21 a.m. UTC.
The scheduled task is designed to launch "logicpro/githubdesktop.exe," which is nothing but a renamed version of "sshd.exe," a legitimate executable associated with OpenSSH for Windows,"
Source: The Hacker News
