Listen to this Post

A new cyber-espionage campaign, dubbed Operation SkyCloak, has emerged as a major threat to military personnel in Russia and Belarus. Discovered by SEQRITE Labs, this highly targeted operation primarily focuses on the Russian Airborne Forces and Belarusian Special Forces. Unlike typical malware campaigns, SkyCloak employs a multi-stage infection chain, advanced PowerShell stagers, and Tor-based covert communications, highlighting an alarming evolution in state-level cyber-espionage techniques. Its use of deceptive military-themed lures, hidden SSH services, and Tor bridges signals a significant increase in the sophistication of attacks aimed at defense networks.
Multi-Stage Infection Chain
The attack begins with malicious ZIP archives containing shortcut (LNK) files that masquerade as official military correspondence. These decoys include documents like nomination letters from Russia’s 83rd Separate Guards Airborne Assault Brigade and training circulars from Belarus’s 5th Separate Spetsnaz Brigade. When opened, the LNK files trigger PowerShell commands that extract multiple archive layers into directories such as %APPDATA%\logicpro and %APPDATA%
eaper.
The deployed PowerShell scripts are designed to evade detection by performing anti-analysis checks, including counting recent files and assessing active processes. Persistence is ensured through hidden scheduled tasks set to trigger daily, enabling immediate payload execution. The stager dynamically generates Tor onion domains, waits for confirmation of service availability, and transmits unique identifiers combining usernames and onion addresses via Tor’s SOCKS listener on port 9050.
Covert SSH and Tor Bridge Communications
Subsequent payloads install legitimate OpenSSH binaries under misleading names such as githubdesktop.exe and googlemaps.exe. These services are configured to run on port 20321, restricted to local access, and utilize public-key authentication, minimizing network exposure. Tor bridges, set up using binaries disguised as confluence.exe or rider.exe, use obfs4 pluggable transports to conceal traffic, routing it through bridge IPs located in Germany, France, Poland, and Canada.
The malware exposes SSH, SMB, and RDP ports over hidden services, suggesting the attackers’ objective is persistent remote access and data exfiltration. While attribution remains inconclusive, parallels with previous Eastern European espionage campaigns—such as HollowQuill and CargoTalon—indicate a continuation of regionally sophisticated targeting strategies.
What Undercode Say: Analysis of SkyCloak’s Threat Landscape
Operation SkyCloak represents a significant evolution in military-focused cyber-espionage, combining multiple evasion and persistence mechanisms that distinguish it from conventional campaigns. The use of multi-layered PowerShell droppers demonstrates a deliberate approach to bypass endpoint security. By validating user activity before executing payloads, the attackers reduce the likelihood of triggering automated sandbox detections, which shows a nuanced understanding of defensive measures.
The integration of Tor networks with obfs4 bridges indicates the campaign is designed to operate under strict network restrictions and surveillance-heavy environments. This approach is notably more resilient than traditional VPN-based exfiltration techniques, offering both anonymity and reliable remote command-and-control channels. Moreover, the deployment of legitimate SSH binaries under misleading names highlights a trend of “living off the land” techniques, leveraging trusted system components to evade suspicion.
From a strategic perspective, targeting high-value military units in both Russia and Belarus implies intelligence-gathering motives rather than financial gain. The campaign’s architecture allows attackers to maintain long-term persistence, with stealthy access to sensitive communications and operational planning documents. Analysts also note the campaign’s modularity; new payloads can be deployed remotely without alerting users, a hallmark of advanced persistent threat (APT) tactics.
SkyCloak’s sophistication suggests a regional cyber-arms race, where espionage groups are increasingly adopting multi-layered attack chains combining scripting, anonymization, and hidden services. The campaign’s resemblance to HollowQuill and CargoTalon reinforces a trend toward hybrid tactics—mixing known attack techniques with innovative communication protocols to maintain operational stealth. For defenders, the implications are severe: traditional antivirus solutions may be insufficient, and endpoint monitoring must include behavioral analytics capable of detecting unusual PowerShell activity and Tor network traffic.
Furthermore, the campaign highlights growing risks for military personnel worldwide. By exploiting common operational behaviors, such as opening official-looking documents and using standard software binaries, SkyCloak bypasses conventional security awareness measures. Defensive strategies must therefore focus on multi-layered detection, including heuristic monitoring, anomaly detection, and proactive threat hunting for Tor-based command-and-control channels.
In summary, SkyCloak exemplifies the next generation of cyber-espionage, combining deception, stealth, and advanced technical execution. Its design prioritizes persistent access and operational anonymity, posing a serious threat to sensitive defense networks and signaling the need for heightened cyber vigilance across military infrastructures.
🔍 Fact Checker Results
✅ Verified: SkyCloak targets Russian Airborne and Belarusian Special Forces.
✅ Verified: PowerShell scripts and Tor networks are core components of the campaign.
❌ Unverified: Attribution to a specific state actor remains inconclusive.
📊 Prediction
SkyCloak signals a rising trend in militarized cyber campaigns, with attackers increasingly blending stealthy scripting, Tor anonymity, and modular payloads. 🌐 Expect future operations to leverage even more automated evasion techniques, targeting multi-national defense units and critical infrastructure. ⚡ Military cybersecurity protocols will need continuous adaptation to counter these evolving threats.
If you want, I can also create a visual flowchart of SkyCloak’s infection chain for easier understanding of its multi-stage attack. This could make the article even more engaging for readers. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




