Listen to this Post

Introduction
In October 2025, cybersecurity experts at Cyble Research and Intelligence Labs (CRIL) revealed a highly sophisticated malware campaign specifically targeting Belarusian military personnel. Disguised as a seemingly innocuous document, the attack underscores the growing precision and complexity of state-backed cyber espionage in Eastern Europe. This operation not only demonstrates advanced malware engineering but also highlights the persistent threats facing defense sectors worldwide.
Malicious Campaign Overview
Researchers discovered a weaponized ZIP archive masquerading as a Belarusian military document titled “ТЛГ на убытие на переподготовку.pdf” (TLG for departure for retraining.pdf). The malware was explicitly aimed at personnel from Belarus’s Special Operations Command specializing in UAV and drone operations, indicating a deliberate focus on regional military intelligence.
The infection begins with a Windows shortcut (LNK) embedded in the ZIP file, designed to appear as a legitimate PDF. Once opened, it executes PowerShell commands that extract a hidden archive, install malicious payloads in %appdata%\logicpro, and run obfuscated scripts. These scripts perform environmental checks, such as counting LNK files and analyzing active processes, to bypass sandbox detection. A decoy PDF opens to maintain user trust while the malware quietly establishes persistence through scheduled tasks.
Two core services are installed on infected systems: an OpenSSH backdoor disguised as githubdesktop.exe and a customized Tor communication layer via pinterest.exe enhanced with obfs4 traffic obfuscation (confluence.exe). The OpenSSH service operates exclusively on port 20321 with RSA key authentication, while an SFTP subsystem (ebay.exe) facilitates covert file transfer and exfiltration.
The Tor layer allows attackers to remotely access the system via RDP, SSH, and SMB ports. All Tor traffic is obfuscated to appear as ordinary network activity, concealing it from standard monitoring systems. Data exfiltration occurs through a curl command routed via a SOCKS5 proxy, transmitting host-specific identifiers to the command-and-control infrastructure. CRIL confirmed that the attackers can establish full remote access using this Tor-anonymized channel.
Although no secondary payloads were observed, technical indicators suggest links to the December 2024 Sandworm (APT44/UAC-0125) campaign. This evolution of tactics—including obfs4 integration, pre-generated RSA keys, and enhanced persistence—signals an ongoing refinement in state-sponsored cyber operations targeting Eastern European military assets.
What Undercode Say: Advanced Threat Dynamics and Implications
The malware campaign analyzed by CRIL illustrates a troubling evolution in cyber espionage targeting military operations. By leveraging social engineering with a highly contextualized lure—a document framed around Belarusian military retraining—attackers demonstrate precise intelligence gathering before infection. Such targeting reflects a strategic approach where operational knowledge about potential victims informs the technical design of malware.
The infection chain’s sophistication is noteworthy. Using LNK files to trigger PowerShell scripts and layered archives allows malware to evade sandbox detection and maintain persistence. The dual-service architecture—OpenSSH for secure remote access and Tor for anonymized communications—shows a deep understanding of operational security and defensive evasion. Particularly, the use of obfs4 to disguise Tor traffic reflects a methodical approach to avoid detection by conventional monitoring systems, a tactic increasingly common in state-level operations.
The campaign’s resemblance to Sandworm operations highlights a continuity in Eastern European cyber threats. While no secondary payloads were found, the modular design suggests adaptability: future updates could deploy ransomware, keyloggers, or additional espionage tools. The strategic targeting of UAV and drone operations is especially significant. Drones represent critical intelligence and tactical assets, and compromising operators could yield insights into reconnaissance and strike capabilities.
From a geopolitical standpoint, this attack underscores how cyber warfare has shifted from broad disruption to targeted intelligence gathering. Military organizations, especially in regions of high strategic interest, must anticipate threats that are both technically advanced and highly customized. Defensive strategies must go beyond endpoint security, incorporating anomaly detection, threat hunting, and proactive OSINT to identify emerging campaigns before operational compromise.
Moreover, the campaign illustrates a growing trend of “low footprint” attacks. By using obfuscated scripts, decoy documents, and anonymized communication channels, attackers reduce the likelihood of early detection while maximizing intelligence gain. This approach also emphasizes the sophistication gap between state-level threat actors and standard corporate cybersecurity teams, highlighting the need for specialized expertise in defense sectors.
Operationally, organizations facing similar threats should audit system processes for unusual scheduled tasks, monitor for Tor traffic even in obfuscated forms, and review SSH key-based authentication configurations to detect unauthorized access attempts. Layered security models combining endpoint, network, and intelligence-driven defenses are essential to counter such advanced persistent threats.
Finally, this malware campaign demonstrates the importance of global threat intelligence sharing. By analyzing and publicizing detailed attack methodologies, organizations can prepare for future campaigns and understand evolving adversary tactics. State-sponsored malware campaigns are not isolated incidents; they are iterative, adaptive, and designed for long-term intelligence collection.
🔍 Fact Checker Results
✅ The malware targets Belarusian Special Operations personnel, confirmed by CRIL research.
✅ OpenSSH and Tor are used for covert access and encrypted communications.
❌ No secondary payloads, such as ransomware, were observed in this campaign.
📊 Prediction
Future attacks will likely expand on modular malware design, combining low-footprint infiltration with targeted intelligence collection. Eastern European military assets remain high-value targets, especially UAV and drone operators. Analysts predict increased use of obfuscated network traffic and encrypted communication channels, making early detection harder. Cyber defense strategies will need to focus on proactive threat hunting and anomaly detection to mitigate these evolving, state-backed threats.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




