Operation SkyCloak represents a targeted cyber espionage campaign aimed at military personnel in Russia and Belarus. The attackers employ a multi-stage infection chain beginning with decoy documents that likely serve as initial infection vectors, possibly via spear-phishing or social engineering. Once executed, PowerShell scripts are used to deploy payloads and establish persistence through scheduled tasks (T1053.005, T1547). The campaign leverages OpenSSH and Tor bridges to create covert remote access channels, enabling lateral movement within compromised networks. Tor hidden services are utilized to expose multiple local services, facilitating stealthy command and control (C2) communications and data exfiltration. The use of obfuscated configurations and anti-analysis techniques (e.g., obfuscated PowerShell, anti-debugging) complicates detection and forensic analysis. The campaign’s tactics align with known espionage tradecraft, focusing on defense and government sectors in Eastern Europe. Although no known exploits or CVEs are associated, the campaign’s complexity and targeted nature indicate a well-resourced adversary. The absence of a CVSS score suggests the need for a severity assessment based on impact and exploitation complexity.

For European organizations, the direct impact is primarily on Russian and Belarusian military entities; however, the campaign’s use of Tor and SSH for covert access could inspire similar tactics against allied or neighboring countries’ defense sectors. The compromise of military personnel systems risks exposure of sensitive defense information, operational plans, and intelligence. The use of scheduled tasks and PowerShell scripts for persistence increases the difficulty of eradication and allows long-term espionage. If similar techniques spread, European defense organizations could face increased risks of lateral movement and stealthy data exfiltration. The campaign’s sophistication also highlights the evolving threat landscape, emphasizing the need for advanced detection capabilities. Additionally, geopolitical tensions involving Russia and Belarus may increase targeting of European countries with strategic interests or military cooperation with these nations.

European defense and government organizations should implement advanced monitoring for PowerShell script execution, focusing on unusual or obfuscated commands. Scheduled tasks should be audited regularly to detect unauthorized persistence mechanisms. Network monitoring should include detection of Tor traffic and anomalous SSH connections, particularly those involving non-standard ports or unexpected endpoints. Endpoint detection and response (EDR) solutions should be tuned to identify obfuscation techniques and anti-analysis behaviors. Restricting the use of Tor and unauthorized SSH tunnels within sensitive networks can reduce attack surface. Incident response teams should develop playbooks for multi-stage infection chains and lateral movement detection. User training should emphasize the risks of spear-phishing and decoy documents. Finally, sharing threat intelligence related to Operation SkyCloak within European cybersecurity communities can enhance collective defense.