Operation SkyCloak phishing backdoor campaign targeting Russia and Belarus defense sector
Campaign
Summary
Hide ▲
Show ▼
The Operation SkyCloak campaign is using phishing emails with weaponized attachments to seed a persistent backdoor on likely defense-sector systems in Russia and Belarus. The operation matters because it combines covert remote access with traffic obfuscation through a customized Tor hidden service, making compromise harder to detect and investigate.
Related Happenings
Tomiris 2025 government-targeting campaign
Campaign
First: 01.12.2025 07:07
Last: 01.12.2025 07:07
Sources 1
About this happening:
The **Tomiris 2025 campaign** is using **phishing** and **public-service C2** to target **foreign ministries**, **intergovernmental organizations**, and **government entities**, i...
Tomiris 2025 government-targeting campaign
CampaignAbout this happening: The **Tomiris 2025 campaign** is using **phishing** and **public-service C2** to target **foreign ministries**, **intergovernmental organizations**, and **government entities**, i...
CAPI Backdoor phishing ZIP campaign targeting Russian automobile and e-commerce sectors
Campaign
First: 18.10.2025 14:41
Last: 18.10.2025 14:41
Sources 1
About this happening:
A new **CAPI Backdoor** campaign is targeting **Russian automobile and e-commerce sectors**, using **phishing emails** with **ZIP archives** to deliver malware that can steal brow...
CAPI Backdoor phishing ZIP campaign targeting Russian automobile and e-commerce sectors
CampaignAbout this happening: A new **CAPI Backdoor** campaign is targeting **Russian automobile and e-commerce sectors**, using **phishing emails** with **ZIP archives** to deliver malware that can steal brow...
UAC-0245 CABINETRAT delivery campaign targeting Ukraine
Campaign
First: 01.10.2025 10:11
Last: 01.10.2025 10:11
Sources 1
About this happening:
A **UAC-0245** campaign is using the **CABINETRAT** backdoor to target **Ukraine**, creating persistent access for **reconnaissance** and **file transfer**. The operation matters...
UAC-0245 CABINETRAT delivery campaign targeting Ukraine
CampaignAbout this happening: A **UAC-0245** campaign is using the **CABINETRAT** backdoor to target **Ukraine**, creating persistent access for **reconnaissance** and **file transfer**. The operation matters...
ScarCruft Operation HanKook Phantom phishing campaign targeting South Korean researchers
Campaign
First: 01.09.2025 11:26
Last: 01.09.2025 11:26
Sources 1
About this happening:
A **ScarCruft (APT37)** phishing operation called **Operation HanKook Phantom** is targeting **South Korean academics, former officials, and researchers** with a **RokRAT** infect...
ScarCruft Operation HanKook Phantom phishing campaign targeting South Korean researchers
CampaignAbout this happening: A **ScarCruft (APT37)** phishing operation called **Operation HanKook Phantom** is targeting **South Korean academics, former officials, and researchers** with a **RokRAT** infect...
Timeline
-
04.11.2025 12:49 2 articles · 6mo ago
Operation SkyCloak phishing campaign deploys a persistent OpenSSH backdoor
Initial DisclosureResearchers from Cyble and Seqrite Labs described Operation SkyCloak, a phishing campaign using weaponized ZIP and LNK attachments to target likely defense-sector systems in Russia and Belarus. The payload is designed to install a persistent backdoor that combines OpenSSH for Windows with a customized Tor hidden service using obfs4 for traffic obfuscation, while Cyble assessed the activity as consistent with Eastern European-linked espionage and said it shares tactical overlaps with UAC-0125.
Show sources
- Operation SkyCloak Deploys Tor-Enabled OpenSSH Backdoor Targeting Defense Sectors — thehackernews.com — 04.11.2025 12:49
- Operation SkyCloak Deploys Tor-Enabled OpenSSH Backdoor Targeting Defense Sectors — thehackernews.com — 04.11.2025 12:49