Operation SkyCloak Deploys PowerShell and Hidden SSH Service to Evade Traffic Blocks

A new cyber-espionage campaign uncovered by SEQRITE Labs, dubbed Operation SkyCloak, is targeting military personnel from both Russia and Belarus, particularly the Russian Airborne Forces and Belarusian Special Forces.

The intrusion chain relies on a multi-stage PowerShell infection process and leverages Tor hidden services with obfs4 bridges to maintain anonymous communications and persistent remote access.

Multi-Stage Infection Chain

The initial infection begins with deceptive ZIP archives containing shortcut files masquerading as official military correspondence. The lures include nomination letters from Russia’s 83rd Separate Guards Airborne Assault Brigade and training circulars from Belarus’s 5th Separate Spetsnaz Brigade.

These decoy documents, uploaded from Belarus in mid-October 2025, are linked to LNK files such as “Нomination for appointment to military position.pdf.lnk,” which trigger PowerShell commands.

Once executed, the malicious LNK extracts multiple archive layers into user directories such as %APPDATA%logicpro and %APPDATA%reaper.

These droplets deploy PowerShell scripts that run extensive anti-analysis checks, such as verifying regular user activity by counting files in the “Recent” folder and checking the process volume before execution.

The script then establishes persistence via hidden scheduled tasks defined in XML files, setting daily logon triggers and enabling immediate execution of payloads.

The PowerShell stager dynamically constructs onion domains, waits for Tor’s hostname file to confirm service availability, and creates unique identification beacons combining usernames and onion addresses.

These communications occur via Tor’s SOCKS listener on port 9050 with multiple retry mechanisms, ensuring reliability even in restricted environments.

Hidden SSH Service and Tor Bridge Communication

Subsequent payloads deploy legitimate OpenSSH binaries under misleading names such as “githubdesktop.exe” and “googlemaps.exe.”

These binaries are configured as SSHD services running on port 20321 within a user’s profile folder, relying solely on public-key authentication. The configuration restricts network exposure to 127.0.0.1, while Tor bridges extend access covertly through onion routing.

The Tor setup executed via binaries renamed as “confluence.exe” or “rider.exe” uses obfs4 pluggable transports to conceal network traffic through bridge IPs in Germany, France, Poland, and Canada.

HiddenServicePorts expose SSH, SMB, and RDP interfaces, indicating that the attackers aim to establish persistent remote administration and data exfiltration routes on compromised hosts.

Although attribution remains uncertain, researchers note similarities to past Eastern European espionage activity.

The operation resembles targeting and tooling methods seen in campaigns like HollowQuill and CargoTalon, but innovatively combines PowerShell-based stagers with embedded SSH-over-Tor communications.

SkyCloak’s architecture underscores a growing sophistication in regional espionage efforts to circumvent monitoring and maintain stealth persistence across military and defense networks.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Operation SkyCloak Deploys PowerShell and Hidden SSH Service to Evade Traffic Blocks appeared first on Cyber Security News.