In October 2025, menace researchers at Cyble Analysis and Intelligence Labs uncovered a classy cyber assault leveraging weaponized army paperwork to distribute a sophisticated SSH-Tor backdoor concentrating on protection sector personnel.
The marketing campaign facilities on a deceptively easy supply mechanism: a ZIP archive disguised as a Belarusian army doc titled “ТЛГ на убытие на переподготовку.pdf” (TLG for departure for retraining), particularly designed to lure Particular Operations Command personnel specializing in unmanned aerial car operations.
The assault represents a big evolution in state-sponsored cyber espionage strategies, combining social engineering with refined technical countermeasures to determine persistent backdoor entry.
Cyble analysts recognized that the malware deploys OpenSSH for Home windows alongside a custom-made Tor hidden service that includes obfs4 site visitors obfuscation, granting menace actors nameless entry to SSH, RDP, SFTP, and SMB protocols on compromised programs.
The researchers efficiently linked by way of SSH to verify the backdoor’s operational performance, although no secondary payloads or post-exploitation actions have been noticed on the time of research.
Risk attribution evaluation suggests average confidence alignment with UAC-0125/Sandworm (APT44), a Russian-linked superior persistent menace group recognized for concentrating on Ukrainian army and demanding infrastructure since 2013.
An infection chain (Supply – Cyble)
The tactical patterns, infrastructure overlaps, and operational methodologies mirror the December 2024 Military+ marketing campaign, demonstrating Sandworm’s steady refinement of confirmed assault strategies.
Multi-Stage An infection Mechanism and Evasion Technique
The assault chain employs nested ZIP archives and LNK file disguises to bypass automated detection programs with outstanding sophistication.
Upon extraction, victims encounter an LNK file showing as a reputable PDF alongside a hidden listing named “FOUND.000” containing a further archive titled “persistentHandlerHashingEncodingScalable.zip.”
SSH connection to the sufferer host (Supply – Cyble)
When the sufferer makes an attempt opening what seems to be a PDF doc, the LNK file executes embedded PowerShell instructions, extracting the nested archive to the %appdatapercentlogicpro listing and retrieving obfuscated PowerShell content material for execution.
Cyble analysts recognized essential anti-analysis checks embedded inside the second-stage PowerShell script. The malware validates that not less than 10 latest LNK recordsdata exist on the system and confirms the method depend exceeds 50—thresholds not often met in sandbox environments.
This environmental consciousness mechanism terminates execution in automated evaluation programs whereas continuing on real consumer workstations.
Following validation, the script shows a decoy PDF to take care of the phantasm of legitimacy whereas establishing persistence by scheduled duties configured to execute at logon and day by day at 10:21 AM UTC, guaranteeing steady entry to the compromised infrastructure.
Comply with us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
