Analysis of Attack Activities Using SSH+TOR Tunnels to Achieve Covert Persistence
APT-C-13 (Sandworm), a state-sponsored advanced persistent threat group, is conducting global cyber espionage using sophisticated campaigns that leverage nested SSH and TOR tunnels for covert persistence. The attackers distribute weaponized ZIP archives containing LNK files via spearphishing emails, which execute payloads that create scheduled tasks disguised as legitimate software. The campaign establishes dual-encrypted anonymous tunnels using the obfs4 protocol to evade deep packet inspection and maps sensitive ports such as SMB (445) and RDP (3389) to Onion domains for persistent backdoor access. Anti-analysis techniques including sandbox detection, file disguise, and process masquerading are used to maintain long-term unauthorized control over compromised systems for intelligence collection. No known exploits in the wild or patches are indicated. The threat is assessed as medium severity based on the described impact and sophistication.
AI Analysis
Technical Summary
This campaign by APT-C-13 (Sandworm) uses spearphishing to deliver ZIP archives with weaponized LNK files that execute payloads establishing scheduled tasks for persistence. The attackers create covert remote access channels by nesting SSH tunnels within TOR tunnels, employing the obfs4 protocol to bypass network inspection. They map critical service ports (SMB/445, RDP/3389) to Onion domains, enabling persistent backdoor access through dual-encrypted anonymous tunnels. The campaign incorporates advanced evasion techniques such as sandbox detection, file disguise, and process masquerading to avoid detection and maintain long-term access for espionage purposes. Indicators include multiple Onion domains and file hashes linked to the campaign. No patch or official remediation is noted, and no cloud service is involved.
Potential Impact
The campaign enables persistent, covert remote access to compromised systems, allowing attackers to maintain long-term unauthorized control and conduct intelligence collection. The use of dual-encrypted SSH and TOR tunnels with obfs4 protocol circumvents deep packet inspection, complicating detection and mitigation efforts. Mapping of sensitive ports to Onion domains facilitates stealthy backdoor access to critical services like SMB and RDP. The advanced anti-analysis techniques further reduce the likelihood of detection, increasing the risk of prolonged espionage operations.
Mitigation Recommendations
No official patch or remediation is indicated for this campaign. Organizations should focus on detecting and blocking spearphishing attempts delivering weaponized ZIP archives with LNK files. Monitoring for suspicious scheduled tasks and unusual network connections involving SSH and TOR tunnels, especially those using obfs4 protocol, may help identify compromise. Network defenses should consider blocking or alerting on traffic to known malicious Onion domains and hashes associated with this campaign. Since this is not a vulnerability with a patch, mitigation relies on detection and response capabilities tailored to the described tactics.
Indicators of Compromise
- domain: 2zrek3mkl72d5b6evpkx2rz2glzrltiorgblpfb2ttg6lacwlsdk4iqd.onion
- domain: 3xl6xhboulyuez6fuydyhj7pdvkshzn4ogsmgwbb3ukrkvgi6bcwvfyd.onion
- hash: 0a78005858bef767b39cfbbeb543a80dfde46807ee75594de77d3ddfe119e8b5
- hash: 2156c270ffe8e4b23b67efed191b9737
- hash: 975d8bdfec6b58ae9004d526fa9f852108026a9c
- domain: e3mnde5uyuxjoztup6t3m7nykbicexbzra76ucligwgsaez65w63y2ad.onion
- domain: imnlyhj4mtmtesqrvf7c4ma6dkxeyxw3ae53w6fuz42spndg7zpat6qd.onion
- domain: kvk46su7d2qi6g4n43syp4zbsf2rihnc6ztj77qtc2ojvewjqvqilnqd.onion
- domain: nytiplwknkinobjaeb5tajjiglip3vtaccju6ta7d47u5u64ktrwhrqd.onion
Analysis of Attack Activities Using SSH+TOR Tunnels to Achieve Covert Persistence
Description
APT-C-13 (Sandworm), a state-sponsored advanced persistent threat group, is conducting global cyber espionage using sophisticated campaigns that leverage nested SSH and TOR tunnels for covert persistence. The attackers distribute weaponized ZIP archives containing LNK files via spearphishing emails, which execute payloads that create scheduled tasks disguised as legitimate software. The campaign establishes dual-encrypted anonymous tunnels using the obfs4 protocol to evade deep packet inspection and maps sensitive ports such as SMB (445) and RDP (3389) to Onion domains for persistent backdoor access. Anti-analysis techniques including sandbox detection, file disguise, and process masquerading are used to maintain long-term unauthorized control over compromised systems for intelligence collection. No known exploits in the wild or patches are indicated. The threat is assessed as medium severity based on the described impact and sophistication.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign by APT-C-13 (Sandworm) uses spearphishing to deliver ZIP archives with weaponized LNK files that execute payloads establishing scheduled tasks for persistence. The attackers create covert remote access channels by nesting SSH tunnels within TOR tunnels, employing the obfs4 protocol to bypass network inspection. They map critical service ports (SMB/445, RDP/3389) to Onion domains, enabling persistent backdoor access through dual-encrypted anonymous tunnels. The campaign incorporates advanced evasion techniques such as sandbox detection, file disguise, and process masquerading to avoid detection and maintain long-term access for espionage purposes. Indicators include multiple Onion domains and file hashes linked to the campaign. No patch or official remediation is noted, and no cloud service is involved.
Potential Impact
The campaign enables persistent, covert remote access to compromised systems, allowing attackers to maintain long-term unauthorized control and conduct intelligence collection. The use of dual-encrypted SSH and TOR tunnels with obfs4 protocol circumvents deep packet inspection, complicating detection and mitigation efforts. Mapping of sensitive ports to Onion domains facilitates stealthy backdoor access to critical services like SMB and RDP. The advanced anti-analysis techniques further reduce the likelihood of detection, increasing the risk of prolonged espionage operations.
Mitigation Recommendations
No official patch or remediation is indicated for this campaign. Organizations should focus on detecting and blocking spearphishing attempts delivering weaponized ZIP archives with LNK files. Monitoring for suspicious scheduled tasks and unusual network connections involving SSH and TOR tunnels, especially those using obfs4 protocol, may help identify compromise. Network defenses should consider blocking or alerting on traffic to known malicious Onion domains and hashes associated with this campaign. Since this is not a vulnerability with a patch, mitigation relies on detection and response capabilities tailored to the described tactics.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.360.cn/n/13005.html"]
- Adversary
- APT-C-13, Sandworm, FROZENBARENTS
- Pulse Id
- 69f1f50a5410ca637c84368c
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domain2zrek3mkl72d5b6evpkx2rz2glzrltiorgblpfb2ttg6lacwlsdk4iqd.onion | — | |
domain3xl6xhboulyuez6fuydyhj7pdvkshzn4ogsmgwbb3ukrkvgi6bcwvfyd.onion | — | |
domaine3mnde5uyuxjoztup6t3m7nykbicexbzra76ucligwgsaez65w63y2ad.onion | — | |
domainimnlyhj4mtmtesqrvf7c4ma6dkxeyxw3ae53w6fuz42spndg7zpat6qd.onion | — | |
domainkvk46su7d2qi6g4n43syp4zbsf2rihnc6ztj77qtc2ojvewjqvqilnqd.onion | — | |
domainnytiplwknkinobjaeb5tajjiglip3vtaccju6ta7d47u5u64ktrwhrqd.onion | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash0a78005858bef767b39cfbbeb543a80dfde46807ee75594de77d3ddfe119e8b5 | — | |
hash2156c270ffe8e4b23b67efed191b9737 | — | |
hash975d8bdfec6b58ae9004d526fa9f852108026a9c | — |
Threat ID: 69f30d7fcbff5d8610a2e832
Added to database: 4/30/2026, 8:06:23 AM
Last enriched: 4/30/2026, 8:21:20 AM
Last updated: 5/1/2026, 12:29:00 AM
Views: 146
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.