Cyble Research and Intelligence Labs (CRIL) have uncovered a cyber-espionage operation that used a weaponized ZIP archive to infiltrate defense-sector systems. The malicious file—disguised as a Belarusian military document titled “ТЛГ на убытие на переподготовку.pdf” (“TLG for departure for retraining.pdf”)—delivered a highly advanced backdoor capable of establishing covert access through SSH and Tor.
The campaign specifically leveraged the Belarusian military theme to deceive personnel linked to Special Operations Command and those specializing in UAV or drone operations. CRIL’s findings suggest the attack aimed to gather intelligence about the region’s unmanned aerial capabilities or possibly mask the attacker’s true identity through a false-flag narrative.
This operation builds on methods first observed in the December 2024 “Army+” campaign, previously attributed to the Sandworm group (APT44/UAC-0125). The October 2025 version shows notable technical evolution, employing improved obfuscation, operational security, and anonymization measures.
Infection Chain and Anti-Detection Measures
The malicious ZIP archive was carefully constructed to evade both human suspicion and automated detection. Inside the ZIP archive, the victim would find an LNK shortcut masquerading as a PDF file and a hidden folder named “FOUND.000” containing another compressed file, persistentHandlerHashingEncodingScalable.zip. When executed, the LNK shortcut launched an obfuscated PowerShell script instead of opening a legitimate document.
The PowerShell payload extracted files to the %appdata%\logicpro directory and ran additional code that maintained stealth through obfuscation and environmental awareness. Before executing, it checked that the infected system contained at least ten recent shortcut files and fifty or more running processes—conditions typical of real user environments but not sandboxes. If these checks fail, the script terminates, effectively bypassing automated malware analysis systems.
While the decoy PDF was opened to distract the victim, the malware silently proceeded to install persistent services in the background.
Scheduled Tasks, Persistence, and Backdoor Setup
Persistence was achieved through scheduled tasks created using XML templates extracted from the ZIP archive. Two tasks were registered: one to deploy OpenSSH for Windows (renamed as githubdesktop.exe) and another to run a modified Tor client (renamed as pinterest.exe).
The OpenSSH binary established a local SSH service on port 20321 using only RSA key-based authentication, disabling passwords entirely. The authorized keys and configuration files were stored in hidden directories under AppData\Roaming\logicpro. In parallel, the Tor service created a hidden .onion address and forwarded several critical ports:
- SSH (20322 → 127.0.0.1:20321)
- SMB (11435 → 127.0.0.1:445)
- RDP (13893 → 127.0.0.1:3389)
To conceal traffic, the malware employed the obfs4 protocol, disguising Tor communications as legitimate network traffic. Two bridge relays—77.20.116.133:8080 and 156.67.24.239:33333—served as entry points into the Tor network.
Once connected, the malware generated a unique .onion hostname and sent it to the attacker’s command-and-control server via a curl command routed through the Tor SOCKS5 proxy. The command used 1,000 retries with three-second intervals to ensure successful data delivery. This process gave the attacker continuous, anonymous access to the compromised host.
Attribution, Impact, and Defensive Measures
CRIL’s analysis confirmed that the backdoor allowed full remote access through SSH, RDP, SFTP, and SMB channels, all tunneled through Tor for anonymity. Analysts verified the backdoor’s functionality by establishing a controlled SSH session using the embedded RSA keys and proxy configuration. No secondary payloads or lateral movements were detected, suggesting the attackers were in the reconnaissance phase.
The October 2025 sample closely resembles techniques used in the December 2024 Army+ campaign attributed to Sandworm (APT44). The overlap includes double-extension lures, scheduled task persistence, and the integration of OpenSSH and Tor for covert tunneling. Sandworm, associated with Russia’s GRU Unit 74455, has a long history of targeting Ukraine’s infrastructure, including the BlackEnergy attacks in 2015, the NotPetya outbreak in 2017, and a 2023 breach of Kyivstar.
Despite these similarities, CRIL maintains moderate confidence in linking this operation directly to Sandworm. The Belarusian military focus could reflect either an intelligence-gathering mission or a deliberate misdirection tactic.
To mitigate such threats, CRIL recommends that defense organizations:
- Strengthen email filtering to detect nested or double-extension ZIP archives.
- Train personnel to verify document authenticity through secondary channels.
- Deploy a behavioral endpoint detection capable of flagging suspicious PowerShell activity and unauthorized scheduled tasks.
- Block or monitor Tor and obfs4 traffic at the network level.
- Audit SSH key usage and identify any OpenSSH instances running on non-standard ports.
