Operation SkyCloak targets defense sectors with Tor-enabled OpenSSH backdoor

First reported

04.11.2025 12:49

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Operation SkyCloak is an ongoing cyber espionage campaign targeting defense sectors in Russia and Belarus. The attack uses phishing emails with weaponized attachments to deploy a persistent backdoor on compromised hosts. The backdoor leverages OpenSSH and a customized Tor hidden service for command-and-control (C2) communications. The campaign employs sophisticated anti-analysis techniques and environmental checks to evade detection. It establishes persistence through scheduled tasks and exfiltrates system information via a .onion URL. The threat actors behind the campaign remain unidentified, but the activity aligns with Eastern European-linked espionage targeting defense and government sectors.

Timeline

04.11.2025 12:49 1 articles · 6d ago

Operation SkyCloak targets defense sectors with Tor-enabled OpenSSH backdoor
Operation SkyCloak is an ongoing cyber espionage campaign targeting defense sectors in Russia and Belarus. The attack uses phishing emails with weaponized attachments to deploy a persistent backdoor on compromised hosts. The backdoor leverages OpenSSH and a customized Tor hidden service for command-and-control (C2) communications. The campaign employs sophisticated anti-analysis techniques and environmental checks to evade detection. It establishes persistence through scheduled tasks and exfiltrates system information via a .onion URL. The threat actors behind the campaign remain unidentified, but the activity aligns with Eastern European-linked espionage targeting defense and government sectors.
Show sources

Operation SkyCloak Deploys Tor-Enabled OpenSSH Backdoor Targeting Defense Sectors — thehackernews.com — 04.11.2025 12:49
Open in new tab

Information Snippets

The campaign uses phishing emails with military document lures to deliver malware.
First reported: 04.11.2025 12:49

1 source, 1 article
Show sources
- Operation SkyCloak Deploys Tor-Enabled OpenSSH Backdoor Targeting Defense Sectors — thehackernews.com — 04.11.2025 12:49
The malware employs a multi-step infection chain involving PowerShell commands and archive files.
First reported: 04.11.2025 12:49

1 source, 1 article
Show sources
- Operation SkyCloak Deploys Tor-Enabled OpenSSH Backdoor Targeting Defense Sectors — thehackernews.com — 04.11.2025 12:49
The backdoor uses OpenSSH and a Tor hidden service with obfs4 for traffic obfuscation.
First reported: 04.11.2025 12:49

1 source, 1 article
Show sources
- Operation SkyCloak Deploys Tor-Enabled OpenSSH Backdoor Targeting Defense Sectors — thehackernews.com — 04.11.2025 12:49
The malware performs environmental checks to evade sandbox environments.
First reported: 04.11.2025 12:49

1 source, 1 article
Show sources
- Operation SkyCloak Deploys Tor-Enabled OpenSSH Backdoor Targeting Defense Sectors — thehackernews.com — 04.11.2025 12:49
Persistence is achieved through scheduled tasks named 'githubdesktopMaintenance'.
First reported: 04.11.2025 12:49

1 source, 1 article
Show sources
- Operation SkyCloak Deploys Tor-Enabled OpenSSH Backdoor Targeting Defense Sectors — thehackernews.com — 04.11.2025 12:49
The malware exfiltrates system information and a unique .onion URL hostname.
First reported: 04.11.2025 12:49

1 source, 1 article
Show sources
- Operation SkyCloak Deploys Tor-Enabled OpenSSH Backdoor Targeting Defense Sectors — thehackernews.com — 04.11.2025 12:49
The campaign shares tactical overlaps with a prior campaign tracked by CERT-UA as UAC-0125.
First reported: 04.11.2025 12:49

1 source, 1 article
Show sources
- Operation SkyCloak Deploys Tor-Enabled OpenSSH Backdoor Targeting Defense Sectors — thehackernews.com — 04.11.2025 12:49