OpenSSH & Tor: ‘Operation SkyCloak’ Targets Defense Agencies with Stealthy Multi-Stage Backdoor

In mid-autumn 2025, researchers at Cyble and Seqrite Labs observed a new wave of targeted malicious activity dubbed Operation SkyCloak. According to their findings, an unidentified threat actor has been conducting a phishing campaign aimed at defence organizations in Russia and Belarus, with the objective of clandestinely installing a multi-stage backdoor that leverages OpenSSH and an anonymized Tor infrastructure specially configured to use the obfs4 protocol to obfuscate network traffic.

The lure arrives as purported military documents containing a ZIP archive that conceals an LNK shortcut and an additional archive. Activating the shortcut triggers a chain of PowerShell commands that orchestrate subsequent component downloads. These commands first assess whether the execution environment resembles a real target—checking the number of user shortcuts and active processes—and will abort if values fall below thresholds, thereby avoiding execution in sandboxes or researcher machines. The samples, the analysts note, were uploaded to VirusTotal from Belarus in October.

If the environment check succeeds, the script displays a bogus PDF and creates a scheduled task named githubdesktopMaintenance. This task runs daily at a fixed time after user login and launches a renamed executable, sshd.exe—the OpenSSH server binary—masquerading as githubdesktop.exe within a folder named logicpro. Through this component, the operators establish key-restricted SSH access, enabling remote control while evading standard audit mechanisms.

The second component is a modified Tor build disguised as pinterest.exe, also executed by schedule. Its purpose is to instantiate a hidden service that connects to the attackers’ onion address over obfs4-wrapped Tor traffic. This binary proxies access to critical Windows services—such as RDP, SMB, and SSH—over the Tor network, providing resilient connectivity and bypassing conventional defensive controls.

Upon completing installation, the backdoor transmits information about the compromised host, including an assigned onion hostname, via a curl request. Thereafter, the adversaries are able to exert full control over the victim machine through an encrypted command-and-control channel.

Seqrite and Cyble assess that the attack chain’s capabilities and the choice of target countries are consistent with a spy-style operation focused on Eastern Europe. The report emphasizes that the architecture enables the operators to remain stealthy—the entire data exchange traverses Tor, and access keys are preprovisioned to facilitate covert, persistent access.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy