This threat represents a highly sophisticated cyber espionage campaign identified in October 2025, targeting the defense sector with a focus on Belarusian Air Force drone experts. The attack vector is a weaponized ZIP archive masquerading as a military document, designed to lure victims into executing malicious payloads. The malware establishes a persistent backdoor by deploying OpenSSH for Windows combined with a customized Tor hidden service infrastructure, enabling anonymous remote access. This backdoor supports multiple protocols including SSH, RDP, SFTP, and SMB, allowing attackers to conduct reconnaissance, data exfiltration, and lateral movement while evading traditional network defenses. The use of Tor obfuscates command and control communications, complicating detection and attribution. The campaign employs advanced evasion techniques such as process injection, obfuscated payloads, and scheduled task manipulation (T1053.005), consistent with known Sandworm (APT44) tactics, although definitive attribution is pending. Indicators of compromise include numerous file hashes, Tor .onion domains, and an IP address linked to the infrastructure. The attack’s complexity and targeted nature suggest a well-resourced adversary aiming at strategic intelligence gathering on UAV operations. No CVE or known exploits in the wild have been reported, indicating a potentially novel or custom toolset. The campaign’s medium severity rating reflects its targeted impact and operational sophistication.

European organizations, particularly defense contractors, military units, and research institutions involved in UAV technology or collaborating with Belarusian defense entities, face significant risks. Successful compromise could lead to unauthorized access to sensitive military data, intellectual property theft, and disruption of critical defense operations. The persistent backdoor enables attackers to maintain long-term covert access, facilitating ongoing espionage and potential sabotage. The use of Tor for command and control complicates detection and response efforts, increasing the risk of prolonged undetected intrusions. Additionally, the multi-protocol access (SSH, RDP, SFTP, SMB) expands the attack surface, potentially allowing lateral movement within networks and access to broader organizational resources. This could undermine confidentiality, integrity, and availability of critical defense systems. The geopolitical sensitivity of the targeted Belarusian Air Force drone experts suggests the attack may be part of a broader regional intelligence campaign, potentially impacting European security and defense cooperation frameworks.

1. Implement strict email and file attachment filtering to detect and block weaponized ZIP archives and suspicious military-themed documents. 2. Deploy endpoint detection and response (EDR) solutions capable of identifying OpenSSH for Windows anomalies and Tor client usage on endpoints. 3. Monitor network traffic for connections to known malicious Tor hidden services and anomalous SSH, RDP, SFTP, and SMB sessions, especially those originating from or destined to suspicious IPs and domains listed in the indicators. 4. Enforce network segmentation to isolate critical defense systems and limit lateral movement opportunities. 5. Harden SSH configurations by disabling password authentication in favor of key-based authentication, restricting access to known IP addresses, and regularly rotating keys. 6. Audit and restrict scheduled tasks and services to prevent unauthorized persistence mechanisms. 7. Conduct regular threat hunting exercises focusing on the identified indicators of compromise and behavioral patterns consistent with Sandworm TTPs. 8. Educate personnel on spear-phishing risks, especially regarding military-themed lures targeting UAV experts. 9. Collaborate with national cybersecurity agencies and defense sector information sharing groups to receive timely threat intelligence updates. 10. Consider deploying network intrusion detection systems (NIDS) with Tor traffic de-obfuscation capabilities to detect hidden service communications.