Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor

SUMMARY :

A sophisticated cyber attack targeting the defense sector was identified in October 2025, utilizing a weaponized ZIP archive disguised as a military document. The multi-stage attack employs advanced evasion techniques and deploys a complex infrastructure combining OpenSSH for Windows with a customized Tor hidden service. The malware establishes persistent backdoor access, allowing anonymous remote access via SSH, RDP, SFTP, and SMB protocols. The lure document targets Belarusian Air Force drone experts, suggesting intelligence gathering on regional UAV capabilities. The attack's tactics, techniques, and procedures align with those of Sandworm (APT44), a Russian-linked APT group, although definitive attribution remains uncertain at this stage.

OPENCTI LABELS :

defense sector,openssh,belarusian air force,tor hidden service,uav operations,ssh-tor backdoor,military lure,obfs4


AI COMMENTARY :

1. A sophisticated cyber attack targeting the defense sector was uncovered in October 2025. Known under the title 'Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor', this operation leverages trust in official-looking files to infiltrate sensitive networks. Researchers observed the initial compromise vector as a ZIP archive masquerading as a Belarusian Air Force briefing, showcasing the adversary's focus on UAV operations intelligence gathering.

2. The threat actors crafted a military lure intended for drone experts within the Belarusian Air Force. By presenting technical documents on regional UAV capabilities, the archive enticed recipients to extract and execute embedded payloads. This targeted approach underscores the group's deep reconnaissance into its victims’ roles and responsibilities in UAV operations.

3. Concealed within the archive, the payload utilizes obfs4 to mask its network traffic and evade detection by network monitoring tools. This choice of pluggable transport ensures communications with the Tor hidden service remain indistinguishable from benign encrypted traffic. The attackers’ integration of obfs4 demonstrates a high level of sophistication in maintaining covert channels.

4. Once deployed, the malware establishes a complex infrastructure that merges OpenSSH for Windows with a customized Tor hidden service. This SSH-Tor backdoor enables secure encrypted tunnels over the Tor network, granting attackers anonymous command and control capabilities. The combination of OpenSSH and Tor hidden services elevates the stealth and resilience of the backdoor.

5. The backdoor delivers persistent remote access across multiple protocols including SSH, RDP, SFTP, and SMB. By layering SSH over Tor, the adversary achieves an advanced SSH-Tor backdoor mechanism that can bypass traditional perimeter defenses. The versatility of these protocols allows flexible data exfiltration and lateral movement within the compromised environment.

6. To maintain persistence and resist removal, the malware employs advanced evasion techniques. It hides its service on the Tor network behind a stealthy hidden service, leverages OpenSSH features for authentication bypasses, and periodically updates its code to avoid signature-based detection. These tactics ensure long-term footholds even in highly secure defense networks.

7. The tactics, techniques, and procedures observed in this operation align closely with those documented for Sandworm, also known as APT44. While definitive attribution remains unconfirmed, the use of military lures, Tor-based backdoors, and sophisticated evasion point toward a Russian-linked actor. If confirmed, this campaign represents a strategic effort to compromise UAV operations intelligence in Eastern Europe.

8. Organizations within the defense sector should review incoming archives for anomalies in file structure and verify the authenticity of military-related documents. Implementing robust email filtering, network segmentation, and behavioral analysis of SSH and Tor traffic can mitigate the risk posed by this SSH-Tor backdoor. Maintaining up-to-date threat intelligence on obfs4 pluggable transports and Tor hidden services will strengthen defenses against similar advanced persistent threats.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor