Attack Activity Analysis Using SSH+TOR Tunnels for Covert Persistence
APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage targeting government agencies, diplomatic departments, energy enterprises, and research organizations. Recently detected samples reveal the group's use of nested SSH and TOR tunnel architecture to establish covert communication channels. The attack begins with spear-phishing emails delivering malicious LNK files disguised as PDF documents. Upon execution, the payload deploys TOR hidden services mapping internal ports (SMB/445, RDP/3389) to onion domains, while SSH services with public key authentication provide encrypted remote access. The malware employs obfs4 protocol to obfuscate TOR traffic, evading deep packet inspection. Persistence is achieved through scheduled tasks masquerading as legitimate applications like Opera GX and Dropbox, establishing an anonymous shadow management infrastructure for sustained intelligence collection.
AI Analysis
Technical Summary
APT-C-13 (Sandworm) employs spear-phishing to deliver malicious LNK files that deploy payloads establishing nested SSH and TOR tunnel architectures for covert communication. TOR hidden services map internal SMB (port 445) and RDP (port 3389) services to onion domains, while SSH with public key authentication provides encrypted remote access. The use of the obfs4 protocol obfuscates TOR traffic to evade deep packet inspection. Persistence is maintained via scheduled tasks disguised as legitimate software, enabling a shadow management infrastructure for ongoing espionage activities.
Potential Impact
This campaign enables the threat actor to maintain covert, persistent access to targeted networks, facilitating intelligence collection from government, diplomatic, energy, and research organizations globally. The use of obfuscated TOR tunnels and SSH access complicates detection and response efforts, potentially allowing prolonged unauthorized access and data exfiltration.
Mitigation Recommendations
No official patch or remediation is indicated for this campaign. Mitigation should focus on user awareness to prevent spear-phishing success, detection of anomalous scheduled tasks masquerading as legitimate applications, and monitoring for unusual SSH and TOR network activity. Network defenders should consider blocking or inspecting TOR traffic and implementing strict controls on remote access services. Since this is a campaign rather than a software vulnerability, patching is not applicable.
Indicators of Compromise
- hash: 2a9b971c835e2ee5f190d068c602601fdaf718d8bfe085c2032d59a6f25ed082
- hash: 42910bf2aa4ac9d62e2b32e6fadc42f11bd7215fee492ecf72cfd6238965d066
- domain: 2zrek3mkl72d5b6evpkx2rz2glzrltiorgblpfb2ttg6lacwlsdk4iqd.onion
- domain: 3xl6xhboulyuez6fuydyhj7pdvkshzn4ogsmgwbb3ukrkvgi6bcwvfyd.onion
- hash: 6616717dfb2a795113b47d862c5412e2
- hash: 99732e49668e56527963742922277459
- hash: 111e42c31f8e4ae3764f339d7ad04b20bb21be5d97ede13aaa7c73e72cb7549d
- hash: 0a78005858bef767b39cfbbeb543a80dfde46807ee75594de77d3ddfe119e8b5
- hash: 0b6f7356919b9632c1158681ee0462f3
- hash: 4d5074d6e0722ceec45a083fa8444164
- hash: 7b50320a005cf68e5c17d51a8fd8422ceef1611a
- hash: aba35de9e819396f89f34c03058ebe71a7f98b6b
- hash: a6d095dc0e01f97db7e74cb5bed402dc
- hash: 940658590d938380b71fd5055635c02564a63ef1
- hash: c22150121a13713b395a155af5d55680dde56ac1
- hash: 1fbdb99357ace6d6db830c63850a6e8a4ea3607776c4668feb135f3ff0d95151
- hash: 63297928883b0dc4e0735963dbcb2b2fa0c1e131af6d486f882070a6eb7e339a
- hash: a79b5162f9a49df3db4f001325938b9dc7bdc471b71108ed178350c89252e3a5
- hash: bbcdb82918f0decb1d6e20c90e872175cf278006948c5995ffd88033f56a1b71
- hash: 54148383c8a8a5e51cf4892702f14176110beccd377af75cb184805b6a20986b
- hash: 227b3fa386cad73f0f388d801060e2c8
- hash: 53ac08488544ad1fefd6363db44549cf
- hash: 3dd268fb969eaeb5d9068e185a9e33d5e25073cd
- hash: 8e49c3ee98fc722c77b3b37e3abafb3581369b6e
- hash: 09f402a02b615dcd14786aaa840db0a2
- hash: 1b39fce74193dd2cd5c36b2f8b626273
- hash: 2156c270ffe8e4b23b67efed191b9737
- hash: 487557c9b7288a6b035911a7652ad57c
- hash: 5db8e71b8e82661408f96b43e7ae8faf
- hash: 7e6b6b6ebd64d458a3ee0ce58bce0ddbbc0bb5e9
- hash: 975d8bdfec6b58ae9004d526fa9f852108026a9c
- hash: aaba9f60d81467c27c82f5c6d6cb6accd6890fc4
- hash: d2106fa68e2e6416914855bb4898969365441685
- hash: 6df9cb909b321c24656b218a06dad56bb7916d8ce7de2342321f648af0124e56
- domain: e3mnde5uyuxjoztup6t3m7nykbicexbzra76ucligwgsaez65w63y2ad.onion
- domain: imnlyhj4mtmtesqrvf7c4ma6dkxeyxw3ae53w6fuz42spndg7zpat6qd.onion
- domain: kvk46su7d2qi6g4n43syp4zbsf2rihnc6ztj77qtc2ojvewjqvqilnqd.onion
- domain: nytiplwknkinobjaeb5tajjiglip3vtaccju6ta7d47u5u64ktrwhrqd.onion
Attack Activity Analysis Using SSH+TOR Tunnels for Covert Persistence
Description
APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage targeting government agencies, diplomatic departments, energy enterprises, and research organizations. Recently detected samples reveal the group's use of nested SSH and TOR tunnel architecture to establish covert communication channels. The attack begins with spear-phishing emails delivering malicious LNK files disguised as PDF documents. Upon execution, the payload deploys TOR hidden services mapping internal ports (SMB/445, RDP/3389) to onion domains, while SSH services with public key authentication provide encrypted remote access. The malware employs obfs4 protocol to obfuscate TOR traffic, evading deep packet inspection. Persistence is achieved through scheduled tasks masquerading as legitimate applications like Opera GX and Dropbox, establishing an anonymous shadow management infrastructure for sustained intelligence collection.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
APT-C-13 (Sandworm) employs spear-phishing to deliver malicious LNK files that deploy payloads establishing nested SSH and TOR tunnel architectures for covert communication. TOR hidden services map internal SMB (port 445) and RDP (port 3389) services to onion domains, while SSH with public key authentication provides encrypted remote access. The use of the obfs4 protocol obfuscates TOR traffic to evade deep packet inspection. Persistence is maintained via scheduled tasks disguised as legitimate software, enabling a shadow management infrastructure for ongoing espionage activities.
Potential Impact
This campaign enables the threat actor to maintain covert, persistent access to targeted networks, facilitating intelligence collection from government, diplomatic, energy, and research organizations globally. The use of obfuscated TOR tunnels and SSH access complicates detection and response efforts, potentially allowing prolonged unauthorized access and data exfiltration.
Mitigation Recommendations
No official patch or remediation is indicated for this campaign. Mitigation should focus on user awareness to prevent spear-phishing success, detection of anomalous scheduled tasks masquerading as legitimate applications, and monitoring for unusual SSH and TOR network activity. Network defenders should consider blocking or inspecting TOR traffic and implementing strict controls on remote access services. Since this is a campaign rather than a software vulnerability, patching is not applicable.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://mp.weixin.qq.com/s/nJpqvXCYV3ZdvNgYGrG4ow"]
- Adversary
- APT-C-13
- Pulse Id
- 69f06b1eeeb1fca735cb0bb8
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash2a9b971c835e2ee5f190d068c602601fdaf718d8bfe085c2032d59a6f25ed082 | — | |
hash42910bf2aa4ac9d62e2b32e6fadc42f11bd7215fee492ecf72cfd6238965d066 | — | |
hash6616717dfb2a795113b47d862c5412e2 | — | |
hash99732e49668e56527963742922277459 | — | |
hash111e42c31f8e4ae3764f339d7ad04b20bb21be5d97ede13aaa7c73e72cb7549d | — | |
hash0a78005858bef767b39cfbbeb543a80dfde46807ee75594de77d3ddfe119e8b5 | — | |
hash0b6f7356919b9632c1158681ee0462f3 | — | |
hash4d5074d6e0722ceec45a083fa8444164 | — | |
hash7b50320a005cf68e5c17d51a8fd8422ceef1611a | — | |
hashaba35de9e819396f89f34c03058ebe71a7f98b6b | — | |
hasha6d095dc0e01f97db7e74cb5bed402dc | — | |
hash940658590d938380b71fd5055635c02564a63ef1 | — | |
hashc22150121a13713b395a155af5d55680dde56ac1 | — | |
hash1fbdb99357ace6d6db830c63850a6e8a4ea3607776c4668feb135f3ff0d95151 | — | |
hash63297928883b0dc4e0735963dbcb2b2fa0c1e131af6d486f882070a6eb7e339a | — | |
hasha79b5162f9a49df3db4f001325938b9dc7bdc471b71108ed178350c89252e3a5 | — | |
hashbbcdb82918f0decb1d6e20c90e872175cf278006948c5995ffd88033f56a1b71 | — | |
hash54148383c8a8a5e51cf4892702f14176110beccd377af75cb184805b6a20986b | — | |
hash227b3fa386cad73f0f388d801060e2c8 | — | |
hash53ac08488544ad1fefd6363db44549cf | — | |
hash3dd268fb969eaeb5d9068e185a9e33d5e25073cd | — | |
hash8e49c3ee98fc722c77b3b37e3abafb3581369b6e | — | |
hash09f402a02b615dcd14786aaa840db0a2 | — | |
hash1b39fce74193dd2cd5c36b2f8b626273 | — | |
hash2156c270ffe8e4b23b67efed191b9737 | — | |
hash487557c9b7288a6b035911a7652ad57c | — | |
hash5db8e71b8e82661408f96b43e7ae8faf | — | |
hash7e6b6b6ebd64d458a3ee0ce58bce0ddbbc0bb5e9 | — | |
hash975d8bdfec6b58ae9004d526fa9f852108026a9c | — | |
hashaaba9f60d81467c27c82f5c6d6cb6accd6890fc4 | — | |
hashd2106fa68e2e6416914855bb4898969365441685 | — | |
hash6df9cb909b321c24656b218a06dad56bb7916d8ce7de2342321f648af0124e56 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain2zrek3mkl72d5b6evpkx2rz2glzrltiorgblpfb2ttg6lacwlsdk4iqd.onion | — | |
domain3xl6xhboulyuez6fuydyhj7pdvkshzn4ogsmgwbb3ukrkvgi6bcwvfyd.onion | — | |
domaine3mnde5uyuxjoztup6t3m7nykbicexbzra76ucligwgsaez65w63y2ad.onion | — | |
domainimnlyhj4mtmtesqrvf7c4ma6dkxeyxw3ae53w6fuz42spndg7zpat6qd.onion | — | |
domainkvk46su7d2qi6g4n43syp4zbsf2rihnc6ztj77qtc2ojvewjqvqilnqd.onion | — | |
domainnytiplwknkinobjaeb5tajjiglip3vtaccju6ta7d47u5u64ktrwhrqd.onion | — |
Threat ID: 69f1b4f5cbff5d8610c35091
Added to database: 4/29/2026, 7:36:21 AM
Last enriched: 4/29/2026, 7:52:32 AM
Last updated: 6/13/2026, 8:22:49 AM
Views: 107
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.