In October 2025, cybersecurity researchers at Cyble Analysis and Intelligence Labs (CRIL) uncovered a classy malware marketing campaign distributing weaponized ZIP archives disguised as navy paperwork.
The assault particularly focused Belarusian navy personnel by a lure doc titled “ТЛГ на убытие на переподготовку.pdf” (TLG for departure for retraining.pdf), with proof suggesting the operation centered on gathering intelligence about regional navy capabilities, significantly Particular Operations Command personnel specializing in unmanned aerial automobile and drone operations.
This multi-stage assault represents a major evolution in cyber espionage methods, using superior evasion strategies together with double file extensions, anti-sandbox validation checks, and obfuscated PowerShell execution to determine persistent backdoor entry on focused techniques.
The malware deploys a fancy infrastructure combining OpenSSH for Home windows with a personalized Tor hidden service that includes obfs4 visitors obfuscation, offering risk actors with nameless distant entry through SSH, RDP, SFTP, and SMB protocols.
Superior Evasion Methods
The assault notes nested ZIP archives, LNK file disguises, and anti-sandbox checks particularly designed to bypass automated detection techniques.
Earlier than executing its payload, the malware validates system traits by checking for at the very least ten current LNK information and a minimal of fifty working processes—circumstances usually absent in sandbox environments however current on real person machines.
First, Powershell makes use of the Increase-Archive command to extract the contents of “persistentHandlerHashingEncodingScalable.zip” from the Downloads folder into the %appdatapercentlogicpro listing.
This validation ensures the malware terminates in evaluation environments whereas continuing with an infection on legit workstations.
The implementation of obfs4 pluggable transport represents a serious technical development, successfully disguising Tor visitors as regular community exercise and making detection considerably more difficult in comparison with commonplace Tor protocols utilized in earlier campaigns.
By way of hid Tor companies, attackers achieve entry to a number of protocols together with SSH, RDP, SFTP, and SMB, enabling full system management whereas preserving anonymity.
All communications are directed by nameless onion addresses utilizing pre-installed cryptographic RSA keys, eliminating the necessity for on-the-fly key era that would set off safety alerts.
The techniques, methods, and procedures employed on this assault intently align with Sandworm (often known as APT44 and UAC-0125), a Russian-linked superior persistent risk group.
Nevertheless, researchers emphasize that with out a longtime focusing on sample, high-confidence attribution can’t be confirmed at this stage.
The broader context aligns with intelligence reporting from Ukraine’s CERT-UA and SSSCIP, which documented over 3,000 cyber incidents within the first half of 2025, many leveraging AI-generated phishing content material and more and more subtle malware.
Based mostly on tactical patterns, overlapping infrastructure, and its evolution from the December 2024 Military+ marketing campaign, this assault demonstrates steady enchancment of confirmed methods related to Sandworm’s Unit 74455.
Since 2013, this unit has performed quite a few cyberattacks in opposition to Ukraine’s navy and significant infrastructure, together with the BlackEnergy assaults inflicting energy outages in 2015, the large-scale NotPetya malware outbreak in 2017, and the 2023 breach of Kyivstar, Ukraine’s largest telecommunications supplier.
The December 2024 Military+ faux installer marketing campaign serves as a direct precursor, involving malicious NSIS installers distributed by faux Cloudflare Staff websites that deployed PowerShell scripts to create hidden SSH entry through Tor.
The present risk reveals tactical enhancements over earlier operations, together with the addition of obfs4 for enhanced safe Tor communication, implementation of scheduled duties for dependable persistence, and strategic use of pre-generated RSA keys to attenuate detection danger and operational footprint.
Multi-Protocol Entry Framework
The an infection chain begins when victims extract the malicious ZIP archive and encounter an LNK file disguised as a PDF doc alongside a hidden listing containing further payloads.
Upon opening what seems to be a legit navy doc, the LNK file triggers PowerShell instructions that extract information into the system’s AppData listing and execute a second-stage script.
This script shows a decoy PDF displaying an authentic-looking Russian-language navy order dated October 16, 2025, from navy unit B/4 89417 within the Minsk Oblast, demonstrating the risk actor’s understanding of navy operations and administrative procedures.
Whereas victims assessment the decoy doc, the malware establishes persistence by two scheduled duties.
The primary deploys an OpenSSH service utilizing a Microsoft-signed binary disguised as legit software program, listening on port 20321 with strict RSA key-based authentication.
The second job establishes a Tor hidden service with port forwarding for a number of Home windows companies, together with SSH on port 20322, SMB file sharing on port 11435, and Distant Desktop Protocol on port 13893.
PuTTY was configured with the localhost SOCKS5 proxy settings, and the extracted RSA personal key was transformed to PPK format utilizing PuTTYgen for authentication.
After establishing the hidden service, the malware constructs a singular onion URL figuring out the compromised system and exfiltrates it to command-and-control infrastructure utilizing curl with aggressive retry logic.
CRIL researchers efficiently related through SSH to verify backdoor performance, although no secondary payloads or post-exploitation actions have been noticed throughout monitoring, suggesting the operation stays in reconnaissance or surveillance phases earlier than lively exploitation.
Protection groups ought to give attention to analyzing endpoint conduct, monitoring course of execution chains, and auditing scheduled duties, because the obfs4-obfuscated Tor communications make network-based detection considerably more difficult.
Army items and protection sector organizations stay significantly weak to social engineering assaults using sensible navy paperwork, emphasizing the necessity for enhanced safety consciousness coaching and endpoint detection capabilities.
Indicators of Compromise
| Indicator Kind | Description |
|---|---|
| SHA-256 | 30a5df544f4a838f9c7ce34377ed2668e0ba22cc39d1e26b303781153808a2c4 – Zip archive |
| SHA-256 | 99ec6437f74eec19e33c1a0b4ac8826bcc44848f87cd1a1c2b379fae9df62de9 – LNK file |
| SHA-256 | 7269b4bc6b3036e5a2f8c2a7908a439202cee9c8b9e50b67c786c39f2500df8f – Powershell script |
| SHA-256 | 5d3a6340691840d1a87bfab543faec77b4a9d457991dd938834de820a99685f7 – ТЛГ на убытие на переподготовку.pdf– Decoy |
| SHA-256 | 08db5bb9812f49f9394fd724b9196c7dc2f61b5ba1644da65db95ab6e430c92b – obfs4proxy.exe (confluence.exe) – Not malware |
| SHA-256 | a0eed0e1ef8fc4129f630e6f68c29c357c717df0fe352961e92e7f8c93e5371b – SFTP (ebay.exe) – Not malware |
| SHA-256 | 710e8c96875d6a3c1b4f08f4b2094c800658551065b20ef3fd450b210dcc7b9a – OpenSSH for Home windows sshd.exe (githubdesktop.exe) – Not malware |
| SHA-256 | 7946a2275c1c232eebed6ead95ea4723285950175586db1f95354b910b0a3cce – pinterest.exe – Not malware |
| Area | yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd.onion |
Comply with us on Google Information, LinkedIn, and X to Get Instantaneous Updates and Set GBH as a Most well-liked Supply in Google.
