Operation SkyCloak: Tor-Enabled OpenSSH Backdoor Targets Global Defense Networks

A new cyber espionage campaign known as Operation SkyCloak is targeting military and defense organizations in Russia and Belarus. Security researchers have discovered that the attackers are using phishing emails with fake military documents to deliver malicious files. The campaign appears to be focused on stealing sensitive information and maintaining long-term access to defense systems.

The attack begins when a target opens a ZIP archive disguised as an official military document. Inside the archive is a hidden shortcut file that secretly runs malicious PowerShell commands when opened. This script downloads and installs additional payloads, allowing the attackers to gain control over the system.

Once the malware is activated, it performs several checks to make sure it is not running inside a virtual machine or a testing environment. These checks help the attackers avoid detection by security researchers. Only after confirming that it is on a real target system does the malware proceed to install the main payload.

The main payload installs a modified version of OpenSSH on the infected machine. This version of OpenSSH is configured to communicate through the Tor network, creating an encrypted and anonymous backdoor. This allows the attackers to access the system remotely while remaining hidden from traditional monitoring tools.

The attackers also use this Tor-enabled OpenSSH backdoor to tunnel multiple services such as RDP, SMB, and SSH. This means they can move through the victim’s network undetected and collect valuable data or credentials. The use of Tor makes it extremely difficult for defenders to trace the origin or location of the attackers.

Researchers believe the targets were specifically chosen from high-value defense organizations, including military branches and special units. The level of precision and stealth used suggests that the operation’s goal is espionage, not financial gain. This makes Operation SkyCloak one of the more advanced and focused campaigns seen recently.

Experts warn that the use of legitimate tools, combined with Tor-based communication, makes detection and removal challenging. They recommend disabling unused SSH services, monitoring for unknown Tor connections, and scanning all email attachments before opening them. Network administrators are advised to update defenses and review their systems for signs of unusual activity.

In summary, Operation SkyCloak represents a sophisticated cyber campaign aimed at defense sectors using phishing, staged payloads, and Tor-enabled OpenSSH backdoors. The operation highlights how modern attackers combine legitimate software with stealth techniques to remain undetected. Defense organizations are urged to act quickly and apply all available security measures to prevent infiltration.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news