Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus
Operation SkyCloak is a sophisticated espionage campaign targeting Russian and Belarusian military personnel. It uses multi-stage infection chains involving PowerShell scripts, scheduled tasks, and obfuscated configurations to establish covert remote access via OpenSSH and Tor bridges. The attackers leverage Tor hidden services to expose local services for lateral movement and maintain persistence. Anti-analysis techniques and obfuscation hinder detection and analysis. While attribution is uncertain, the tactics align with Eastern European espionage groups focusing on defense sectors. The campaign poses a medium severity threat due to its targeted nature and complexity. European organizations outside Russia and Belarus are less likely to be directly affected but should remain vigilant. Mitigation requires tailored detection of PowerShell abuse, monitoring for Tor and SSH anomalies, and restricting unauthorized scheduled tasks. Countries with significant defense ties or geopolitical interest in Russia and Belarus, such as Poland and the Baltic states, should be particularly alert.
AI Analysis
Technical Summary
Operation SkyCloak represents a targeted cyber espionage campaign aimed at military personnel in Russia and Belarus. The attackers employ a multi-stage infection chain beginning with decoy documents that likely serve as initial infection vectors, possibly via spear-phishing or social engineering. Once executed, PowerShell scripts are used to deploy payloads and establish persistence through scheduled tasks (T1053.005, T1547). The campaign leverages OpenSSH and Tor bridges to create covert remote access channels, enabling lateral movement within compromised networks. Tor hidden services are utilized to expose multiple local services, facilitating stealthy command and control (C2) communications and data exfiltration. The use of obfuscated configurations and anti-analysis techniques (e.g., obfuscated PowerShell, anti-debugging) complicates detection and forensic analysis. The campaign’s tactics align with known espionage tradecraft, focusing on defense and government sectors in Eastern Europe. Although no known exploits or CVEs are associated, the campaign’s complexity and targeted nature indicate a well-resourced adversary. The absence of a CVSS score suggests the need for a severity assessment based on impact and exploitation complexity.
Potential Impact
For European organizations, the direct impact is primarily on Russian and Belarusian military entities; however, the campaign’s use of Tor and SSH for covert access could inspire similar tactics against allied or neighboring countries’ defense sectors. The compromise of military personnel systems risks exposure of sensitive defense information, operational plans, and intelligence. The use of scheduled tasks and PowerShell scripts for persistence increases the difficulty of eradication and allows long-term espionage. If similar techniques spread, European defense organizations could face increased risks of lateral movement and stealthy data exfiltration. The campaign’s sophistication also highlights the evolving threat landscape, emphasizing the need for advanced detection capabilities. Additionally, geopolitical tensions involving Russia and Belarus may increase targeting of European countries with strategic interests or military cooperation with these nations.
Mitigation Recommendations
European defense and government organizations should implement advanced monitoring for PowerShell script execution, focusing on unusual or obfuscated commands. Scheduled tasks should be audited regularly to detect unauthorized persistence mechanisms. Network monitoring should include detection of Tor traffic and anomalous SSH connections, particularly those involving non-standard ports or unexpected endpoints. Endpoint detection and response (EDR) solutions should be tuned to identify obfuscation techniques and anti-analysis behaviors. Restricting the use of Tor and unauthorized SSH tunnels within sensitive networks can reduce attack surface. Incident response teams should develop playbooks for multi-stage infection chains and lateral movement detection. User training should emphasize the risks of spear-phishing and decoy documents. Finally, sharing threat intelligence related to Operation SkyCloak within European cybersecurity communities can enhance collective defense.
Affected Countries
Poland, Lithuania, Latvia, Estonia, Ukraine, Germany, France, United Kingdom
Indicators of Compromise
- hash: 0f6aaa52b05ab76020900a28afff9fff
- hash: 219e7d3b6ff68a36c8b03b116b405237
- hash: 229afc52dccd655ec1a69a73369446dd
- hash: 23ad48b33d5a6a8252ed5cd38148dcb7
- hash: 2599d1b1d6fe13002cb75b438d9b80c4
- hash: 2731b3e8524e523a84dc7374ae29ac23
- hash: 32bdbf5c26e691cbbd451545bca52b56
- hash: 37e83a8fc0e4e6ea5dab38b0b20f953b
- hash: 39937e199b2377d1f212510f1f2f7653
- hash: 45b16a0b22c56e1b99649cca1045f500
- hash: 664f09734b07659a6f75bca3866ae5e8
- hash: 6eafae19d2db29f70fa24a95cf71a19d
- hash: 77bb74dd879914eea7817d252dbab1dc
- hash: 8716989448bc88ba125aead800021db0
- hash: 9242b49e9581fa7f2100bd9ad4385e8c
- hash: 952f86861feeaf9821685cc203d67004
- hash: ae4f82f9733e0f71bb2a566a74eb055c
- hash: b3382b6a44dc2cefdf242dc9f9bc9d84
- hash: b52dfb562c1093a87b78ffb6bfc78e07
- hash: b61a80800a1021e9d0b1f5e8524c5708
- hash: b7ae44ac55ba8acb527b984150c376e2
- hash: c8c41b7e02fc1d98a88f66c3451a081b
- hash: cdd065c52b96614dc880273f2872619f
- hash: d246dfa9e274c644c5a9862350641bac
- hash: dcdf4bb3b1e8ddb24ac4e7071abd1f65
- hash: dfc78fe2c31613939b570ced5f38472c
- hash: e1a8daea05f25686c359db8fa3941e1d
- hash: f6837c62aa71f044366ac53c60765739
- hash: f6c0304671c4485c04d4a1c7c8c8ed94
- hash: 0516b1e97b73f371bdf92a7e00fb5ded63cce485
- hash: 2ba6dc89d09bffa68947ef5719bfa1dc8e410ff3
- hash: 2f311eb4e8f0d50700e0df918bf4e528748ed47c
- hash: 3e7b02953ccaef1d63c4e1c4bc69daa1656e5ab0
- hash: 57966d0a5d47f580a77957b479c5e36c8a2e8a15
- hash: 63b27aeda63ea0ddf3db9b685d55ca01d5754357
- hash: 93456edf6e375e53bac0c93244eec815f7f3d034
- hash: a9bfdd5cc7c52ffaf831e74f05a5b8a7321b051b
- hash: b6d7215f6336c1f2873006cc38c7babc0b56f1d1
- hash: ef73e844f9f0e96f80338a50e769e5ab695b3d6c
- hash: fa7db029079cdd5011f7f38cb25a62d2820f3986
- hash: 08db5bb9812f49f9394fd724b9196c7dc2f61b5ba1644da65db95ab6e430c92b
- hash: 30a5df544f4a838f9c7ce34377ed2668e0ba22cc39d1e26b303781153808a2c4
- hash: 5d3a6340691840d1a87bfab543faec77b4a9d457991dd938834de820a99685f7
- hash: 710e8c96875d6a3c1b4f08f4b2094c800658551065b20ef3fd450b210dcc7b9a
- hash: 7946a2275c1c232eebed6ead95ea4723285950175586db1f95354b910b0a3cce
- hash: 99ec6437f74eec19e33c1a0b4ac8826bcc44848f87cd1a1c2b379fae9df62de9
- hash: a0eed0e1ef8fc4129f630e6f68c29c357c717df0fe352961e92e7f8c93e5371b
- hash: a939d1edcc422772124a373be68b7cb38110639db8b1f4b5dca0b7e94b8399e3
- hash: feae0baf291ff54a1366f0cd628665d2b1c9fe279ce2544d4f84c7aa46064f3c
- ip: 142.189.114.119
- ip: 77.20.116.133
- domain: yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd.onion
Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus
Description
Operation SkyCloak is a sophisticated espionage campaign targeting Russian and Belarusian military personnel. It uses multi-stage infection chains involving PowerShell scripts, scheduled tasks, and obfuscated configurations to establish covert remote access via OpenSSH and Tor bridges. The attackers leverage Tor hidden services to expose local services for lateral movement and maintain persistence. Anti-analysis techniques and obfuscation hinder detection and analysis. While attribution is uncertain, the tactics align with Eastern European espionage groups focusing on defense sectors. The campaign poses a medium severity threat due to its targeted nature and complexity. European organizations outside Russia and Belarus are less likely to be directly affected but should remain vigilant. Mitigation requires tailored detection of PowerShell abuse, monitoring for Tor and SSH anomalies, and restricting unauthorized scheduled tasks. Countries with significant defense ties or geopolitical interest in Russia and Belarus, such as Poland and the Baltic states, should be particularly alert.
AI-Powered Analysis
Technical Analysis
Operation SkyCloak represents a targeted cyber espionage campaign aimed at military personnel in Russia and Belarus. The attackers employ a multi-stage infection chain beginning with decoy documents that likely serve as initial infection vectors, possibly via spear-phishing or social engineering. Once executed, PowerShell scripts are used to deploy payloads and establish persistence through scheduled tasks (T1053.005, T1547). The campaign leverages OpenSSH and Tor bridges to create covert remote access channels, enabling lateral movement within compromised networks. Tor hidden services are utilized to expose multiple local services, facilitating stealthy command and control (C2) communications and data exfiltration. The use of obfuscated configurations and anti-analysis techniques (e.g., obfuscated PowerShell, anti-debugging) complicates detection and forensic analysis. The campaign’s tactics align with known espionage tradecraft, focusing on defense and government sectors in Eastern Europe. Although no known exploits or CVEs are associated, the campaign’s complexity and targeted nature indicate a well-resourced adversary. The absence of a CVSS score suggests the need for a severity assessment based on impact and exploitation complexity.
Potential Impact
For European organizations, the direct impact is primarily on Russian and Belarusian military entities; however, the campaign’s use of Tor and SSH for covert access could inspire similar tactics against allied or neighboring countries’ defense sectors. The compromise of military personnel systems risks exposure of sensitive defense information, operational plans, and intelligence. The use of scheduled tasks and PowerShell scripts for persistence increases the difficulty of eradication and allows long-term espionage. If similar techniques spread, European defense organizations could face increased risks of lateral movement and stealthy data exfiltration. The campaign’s sophistication also highlights the evolving threat landscape, emphasizing the need for advanced detection capabilities. Additionally, geopolitical tensions involving Russia and Belarus may increase targeting of European countries with strategic interests or military cooperation with these nations.
Mitigation Recommendations
European defense and government organizations should implement advanced monitoring for PowerShell script execution, focusing on unusual or obfuscated commands. Scheduled tasks should be audited regularly to detect unauthorized persistence mechanisms. Network monitoring should include detection of Tor traffic and anomalous SSH connections, particularly those involving non-standard ports or unexpected endpoints. Endpoint detection and response (EDR) solutions should be tuned to identify obfuscation techniques and anti-analysis behaviors. Restricting the use of Tor and unauthorized SSH tunnels within sensitive networks can reduce attack surface. Incident response teams should develop playbooks for multi-stage infection chains and lateral movement detection. User training should emphasize the risks of spear-phishing and decoy documents. Finally, sharing threat intelligence related to Operation SkyCloak within European cybersecurity communities can enhance collective defense.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.seqrite.com/blog/operation-skycloak-tor-campaign-targets-military-of-russia-belarus/"]
- Adversary
- null
- Pulse Id
- 690523b41d5a7b96d580ee71
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash0f6aaa52b05ab76020900a28afff9fff | — | |
hash219e7d3b6ff68a36c8b03b116b405237 | — | |
hash229afc52dccd655ec1a69a73369446dd | — | |
hash23ad48b33d5a6a8252ed5cd38148dcb7 | — | |
hash2599d1b1d6fe13002cb75b438d9b80c4 | — | |
hash2731b3e8524e523a84dc7374ae29ac23 | — | |
hash32bdbf5c26e691cbbd451545bca52b56 | — | |
hash37e83a8fc0e4e6ea5dab38b0b20f953b | — | |
hash39937e199b2377d1f212510f1f2f7653 | — | |
hash45b16a0b22c56e1b99649cca1045f500 | — | |
hash664f09734b07659a6f75bca3866ae5e8 | — | |
hash6eafae19d2db29f70fa24a95cf71a19d | — | |
hash77bb74dd879914eea7817d252dbab1dc | — | |
hash8716989448bc88ba125aead800021db0 | — | |
hash9242b49e9581fa7f2100bd9ad4385e8c | — | |
hash952f86861feeaf9821685cc203d67004 | — | |
hashae4f82f9733e0f71bb2a566a74eb055c | — | |
hashb3382b6a44dc2cefdf242dc9f9bc9d84 | — | |
hashb52dfb562c1093a87b78ffb6bfc78e07 | — | |
hashb61a80800a1021e9d0b1f5e8524c5708 | — | |
hashb7ae44ac55ba8acb527b984150c376e2 | — | |
hashc8c41b7e02fc1d98a88f66c3451a081b | — | |
hashcdd065c52b96614dc880273f2872619f | — | |
hashd246dfa9e274c644c5a9862350641bac | — | |
hashdcdf4bb3b1e8ddb24ac4e7071abd1f65 | — | |
hashdfc78fe2c31613939b570ced5f38472c | — | |
hashe1a8daea05f25686c359db8fa3941e1d | — | |
hashf6837c62aa71f044366ac53c60765739 | — | |
hashf6c0304671c4485c04d4a1c7c8c8ed94 | — | |
hash0516b1e97b73f371bdf92a7e00fb5ded63cce485 | — | |
hash2ba6dc89d09bffa68947ef5719bfa1dc8e410ff3 | — | |
hash2f311eb4e8f0d50700e0df918bf4e528748ed47c | — | |
hash3e7b02953ccaef1d63c4e1c4bc69daa1656e5ab0 | — | |
hash57966d0a5d47f580a77957b479c5e36c8a2e8a15 | — | |
hash63b27aeda63ea0ddf3db9b685d55ca01d5754357 | — | |
hash93456edf6e375e53bac0c93244eec815f7f3d034 | — | |
hasha9bfdd5cc7c52ffaf831e74f05a5b8a7321b051b | — | |
hashb6d7215f6336c1f2873006cc38c7babc0b56f1d1 | — | |
hashef73e844f9f0e96f80338a50e769e5ab695b3d6c | — | |
hashfa7db029079cdd5011f7f38cb25a62d2820f3986 | — | |
hash08db5bb9812f49f9394fd724b9196c7dc2f61b5ba1644da65db95ab6e430c92b | — | |
hash30a5df544f4a838f9c7ce34377ed2668e0ba22cc39d1e26b303781153808a2c4 | — | |
hash5d3a6340691840d1a87bfab543faec77b4a9d457991dd938834de820a99685f7 | — | |
hash710e8c96875d6a3c1b4f08f4b2094c800658551065b20ef3fd450b210dcc7b9a | — | |
hash7946a2275c1c232eebed6ead95ea4723285950175586db1f95354b910b0a3cce | — | |
hash99ec6437f74eec19e33c1a0b4ac8826bcc44848f87cd1a1c2b379fae9df62de9 | — | |
hasha0eed0e1ef8fc4129f630e6f68c29c357c717df0fe352961e92e7f8c93e5371b | — | |
hasha939d1edcc422772124a373be68b7cb38110639db8b1f4b5dca0b7e94b8399e3 | — | |
hashfeae0baf291ff54a1366f0cd628665d2b1c9fe279ce2544d4f84c7aa46064f3c | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip142.189.114.119 | — | |
ip77.20.116.133 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainyuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd.onion | — |
Threat ID: 69052bb4a02e7fe8a6757d69
Added to database: 10/31/2025, 9:35:48 PM
Last enriched: 10/31/2025, 9:36:28 PM
Last updated: 11/1/2025, 1:21:46 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
From Brazil with Love: New Tactics from Lampion
MediumNew Loader Executing TorNet and PureHVNC
MediumLATAM baited into the delivery of PureHVNC
MediumTracking an evolving Discord-based RAT family
MediumUNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.