Cybersecurity researchers have uncovered a new, highly targeted attack campaign, likely focusing on the defense sector in Russia and Belarus. The operation, which Seqrite has named Operation SkyCloak, uses phishing emails with weaponized attachments to deploy malware designed to install a persistent backdoor on compromised host machines. Reports from both Cyble and Seqrite Labs detail how the threat actors are leveraging advanced techniques, including using OpenSSH along with a customized Tor hidden service that employs the obfs4 protocol to effectively conceal command-and-control traffic.
The attack begins with phishing emails that use military-related document lures to trick recipients into opening a ZIP file. This archive contains a hidden folder, which holds a second archive and a Windows shortcut (LNK) file. Opening the LNK file initiates a complex, multi-step infection process. Security researchers noted that this initial dropper stage utilizes PowerShell commands triggered by the LNK file, along with the second archive, to set up the entire malicious chain. The observed samples suggest the activity is recent, with related files uploaded to the VirusTotal platform from Belarus in October 2025.
A crucial component of the infection is an intermediate PowerShell stager, which is specifically designed to perform anti-analysis checks to evade detection by automated sandbox environments. The script first confirms environmental factors, such as verifying that the number of recent LNK files on the system is 10 or more and that the current process count is 50 or higher. These thresholds serve as environmental awareness mechanisms, as a typical user workstation would meet these conditions, unlike a lean sandbox testing environment. If either condition is not met, the PowerShell execution terminates abruptly.
Finally, in an effort to distract the user and provide a convincing cover, the script displays a PDF decoy document that is stored locally in the “logicpro” folder. By the time the user sees the decoy, the malicious payload has already established its communication channel and secured its persistent foothold. This layered approach, combining social engineering, multi-stage delivery, advanced evasion, and sophisticated obfuscation, highlights the high level of effort and intent behind Operation SkyCloak targeting sensitive defense-related entities.
Reference:
