Attack Activity Analysis Using SSH+TOR Tunnels for Covert Persistence
APT-C-13 (Sandworm) is a state-sponsored threat group conducting global cyber espionage using spear-phishing emails with malicious LNK files disguised as PDFs. The group establishes covert persistence by deploying nested SSH and TOR tunnels, including TOR hidden services that map internal SMB and RDP ports to onion domains. They use the obfs4 protocol to obfuscate TOR traffic, evading detection. Persistence mechanisms include scheduled tasks masquerading as legitimate applications such as Opera GX and Dropbox. This infrastructure supports sustained intelligence collection through anonymous, encrypted remote access.
AI Analysis
Technical Summary
APT-C-13 (Sandworm) employs spear-phishing to deliver malicious LNK files that deploy payloads establishing nested SSH and TOR tunnel architectures for covert communication. TOR hidden services map internal SMB (port 445) and RDP (port 3389) services to onion domains, while SSH with public key authentication provides encrypted remote access. The use of the obfs4 protocol obfuscates TOR traffic to evade deep packet inspection. Persistence is maintained via scheduled tasks disguised as legitimate software, enabling a shadow management infrastructure for ongoing espionage activities.
Potential Impact
This campaign enables the threat actor to maintain covert, persistent access to targeted networks, facilitating intelligence collection from government, diplomatic, energy, and research organizations globally. The use of obfuscated TOR tunnels and SSH access complicates detection and response efforts, potentially allowing prolonged unauthorized access and data exfiltration.
Mitigation Recommendations
No official patch or remediation is indicated for this campaign. Mitigation should focus on user awareness to prevent spear-phishing success, detection of anomalous scheduled tasks masquerading as legitimate applications, and monitoring for unusual SSH and TOR network activity. Network defenders should consider blocking or inspecting TOR traffic and implementing strict controls on remote access services. Since this is a campaign rather than a software vulnerability, patching is not applicable.
Indicators of Compromise
- hash: 2a9b971c835e2ee5f190d068c602601fdaf718d8bfe085c2032d59a6f25ed082
- hash: 42910bf2aa4ac9d62e2b32e6fadc42f11bd7215fee492ecf72cfd6238965d066
- domain: 2zrek3mkl72d5b6evpkx2rz2glzrltiorgblpfb2ttg6lacwlsdk4iqd.onion
- domain: 3xl6xhboulyuez6fuydyhj7pdvkshzn4ogsmgwbb3ukrkvgi6bcwvfyd.onion
- hash: 6616717dfb2a795113b47d862c5412e2
- hash: 99732e49668e56527963742922277459
- hash: 111e42c31f8e4ae3764f339d7ad04b20bb21be5d97ede13aaa7c73e72cb7549d
- hash: 0a78005858bef767b39cfbbeb543a80dfde46807ee75594de77d3ddfe119e8b5
- hash: 0b6f7356919b9632c1158681ee0462f3
- hash: 4d5074d6e0722ceec45a083fa8444164
- hash: 7b50320a005cf68e5c17d51a8fd8422ceef1611a
- hash: aba35de9e819396f89f34c03058ebe71a7f98b6b
- hash: a6d095dc0e01f97db7e74cb5bed402dc
- hash: 940658590d938380b71fd5055635c02564a63ef1
- hash: c22150121a13713b395a155af5d55680dde56ac1
- hash: 1fbdb99357ace6d6db830c63850a6e8a4ea3607776c4668feb135f3ff0d95151
- hash: 63297928883b0dc4e0735963dbcb2b2fa0c1e131af6d486f882070a6eb7e339a
- hash: a79b5162f9a49df3db4f001325938b9dc7bdc471b71108ed178350c89252e3a5
- hash: bbcdb82918f0decb1d6e20c90e872175cf278006948c5995ffd88033f56a1b71
- hash: 54148383c8a8a5e51cf4892702f14176110beccd377af75cb184805b6a20986b
- hash: 227b3fa386cad73f0f388d801060e2c8
- hash: 53ac08488544ad1fefd6363db44549cf
- hash: 3dd268fb969eaeb5d9068e185a9e33d5e25073cd
- hash: 8e49c3ee98fc722c77b3b37e3abafb3581369b6e
- hash: 09f402a02b615dcd14786aaa840db0a2
- hash: 1b39fce74193dd2cd5c36b2f8b626273
- hash: 2156c270ffe8e4b23b67efed191b9737
- hash: 487557c9b7288a6b035911a7652ad57c
- hash: 5db8e71b8e82661408f96b43e7ae8faf
- hash: 7e6b6b6ebd64d458a3ee0ce58bce0ddbbc0bb5e9
- hash: 975d8bdfec6b58ae9004d526fa9f852108026a9c
- hash: aaba9f60d81467c27c82f5c6d6cb6accd6890fc4
- hash: d2106fa68e2e6416914855bb4898969365441685
- hash: 6df9cb909b321c24656b218a06dad56bb7916d8ce7de2342321f648af0124e56
- domain: e3mnde5uyuxjoztup6t3m7nykbicexbzra76ucligwgsaez65w63y2ad.onion
- domain: imnlyhj4mtmtesqrvf7c4ma6dkxeyxw3ae53w6fuz42spndg7zpat6qd.onion
- domain: kvk46su7d2qi6g4n43syp4zbsf2rihnc6ztj77qtc2ojvewjqvqilnqd.onion
- domain: nytiplwknkinobjaeb5tajjiglip3vtaccju6ta7d47u5u64ktrwhrqd.onion
Attack Activity Analysis Using SSH+TOR Tunnels for Covert Persistence
Description
APT-C-13 (Sandworm) is a state-sponsored threat group conducting global cyber espionage using spear-phishing emails with malicious LNK files disguised as PDFs. The group establishes covert persistence by deploying nested SSH and TOR tunnels, including TOR hidden services that map internal SMB and RDP ports to onion domains. They use the obfs4 protocol to obfuscate TOR traffic, evading detection. Persistence mechanisms include scheduled tasks masquerading as legitimate applications such as Opera GX and Dropbox. This infrastructure supports sustained intelligence collection through anonymous, encrypted remote access.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
APT-C-13 (Sandworm) employs spear-phishing to deliver malicious LNK files that deploy payloads establishing nested SSH and TOR tunnel architectures for covert communication. TOR hidden services map internal SMB (port 445) and RDP (port 3389) services to onion domains, while SSH with public key authentication provides encrypted remote access. The use of the obfs4 protocol obfuscates TOR traffic to evade deep packet inspection. Persistence is maintained via scheduled tasks disguised as legitimate software, enabling a shadow management infrastructure for ongoing espionage activities.
Potential Impact
This campaign enables the threat actor to maintain covert, persistent access to targeted networks, facilitating intelligence collection from government, diplomatic, energy, and research organizations globally. The use of obfuscated TOR tunnels and SSH access complicates detection and response efforts, potentially allowing prolonged unauthorized access and data exfiltration.
Mitigation Recommendations
No official patch or remediation is indicated for this campaign. Mitigation should focus on user awareness to prevent spear-phishing success, detection of anomalous scheduled tasks masquerading as legitimate applications, and monitoring for unusual SSH and TOR network activity. Network defenders should consider blocking or inspecting TOR traffic and implementing strict controls on remote access services. Since this is a campaign rather than a software vulnerability, patching is not applicable.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://mp.weixin.qq.com/s/nJpqvXCYV3ZdvNgYGrG4ow"]
- Adversary
- APT-C-13
- Pulse Id
- 69f06b1eeeb1fca735cb0bb8
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash2a9b971c835e2ee5f190d068c602601fdaf718d8bfe085c2032d59a6f25ed082 | — | |
hash42910bf2aa4ac9d62e2b32e6fadc42f11bd7215fee492ecf72cfd6238965d066 | — | |
hash6616717dfb2a795113b47d862c5412e2 | — | |
hash99732e49668e56527963742922277459 | — | |
hash111e42c31f8e4ae3764f339d7ad04b20bb21be5d97ede13aaa7c73e72cb7549d | — | |
hash0a78005858bef767b39cfbbeb543a80dfde46807ee75594de77d3ddfe119e8b5 | — | |
hash0b6f7356919b9632c1158681ee0462f3 | — | |
hash4d5074d6e0722ceec45a083fa8444164 | — | |
hash7b50320a005cf68e5c17d51a8fd8422ceef1611a | — | |
hashaba35de9e819396f89f34c03058ebe71a7f98b6b | — | |
hasha6d095dc0e01f97db7e74cb5bed402dc | — | |
hash940658590d938380b71fd5055635c02564a63ef1 | — | |
hashc22150121a13713b395a155af5d55680dde56ac1 | — | |
hash1fbdb99357ace6d6db830c63850a6e8a4ea3607776c4668feb135f3ff0d95151 | — | |
hash63297928883b0dc4e0735963dbcb2b2fa0c1e131af6d486f882070a6eb7e339a | — | |
hasha79b5162f9a49df3db4f001325938b9dc7bdc471b71108ed178350c89252e3a5 | — | |
hashbbcdb82918f0decb1d6e20c90e872175cf278006948c5995ffd88033f56a1b71 | — | |
hash54148383c8a8a5e51cf4892702f14176110beccd377af75cb184805b6a20986b | — | |
hash227b3fa386cad73f0f388d801060e2c8 | — | |
hash53ac08488544ad1fefd6363db44549cf | — | |
hash3dd268fb969eaeb5d9068e185a9e33d5e25073cd | — | |
hash8e49c3ee98fc722c77b3b37e3abafb3581369b6e | — | |
hash09f402a02b615dcd14786aaa840db0a2 | — | |
hash1b39fce74193dd2cd5c36b2f8b626273 | — | |
hash2156c270ffe8e4b23b67efed191b9737 | — | |
hash487557c9b7288a6b035911a7652ad57c | — | |
hash5db8e71b8e82661408f96b43e7ae8faf | — | |
hash7e6b6b6ebd64d458a3ee0ce58bce0ddbbc0bb5e9 | — | |
hash975d8bdfec6b58ae9004d526fa9f852108026a9c | — | |
hashaaba9f60d81467c27c82f5c6d6cb6accd6890fc4 | — | |
hashd2106fa68e2e6416914855bb4898969365441685 | — | |
hash6df9cb909b321c24656b218a06dad56bb7916d8ce7de2342321f648af0124e56 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain2zrek3mkl72d5b6evpkx2rz2glzrltiorgblpfb2ttg6lacwlsdk4iqd.onion | — | |
domain3xl6xhboulyuez6fuydyhj7pdvkshzn4ogsmgwbb3ukrkvgi6bcwvfyd.onion | — | |
domaine3mnde5uyuxjoztup6t3m7nykbicexbzra76ucligwgsaez65w63y2ad.onion | — | |
domainimnlyhj4mtmtesqrvf7c4ma6dkxeyxw3ae53w6fuz42spndg7zpat6qd.onion | — | |
domainkvk46su7d2qi6g4n43syp4zbsf2rihnc6ztj77qtc2ojvewjqvqilnqd.onion | — | |
domainnytiplwknkinobjaeb5tajjiglip3vtaccju6ta7d47u5u64ktrwhrqd.onion | — |
Threat ID: 69f1b4f5cbff5d8610c35091
Added to database: 4/29/2026, 7:36:21 AM
Last enriched: 4/29/2026, 7:52:32 AM
Last updated: 4/29/2026, 8:55:15 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.