Highlights of Our CISO Dinner
Upgrading struggling vulnerability management programs to Threat Exposure Management, with Host, CISO Al Lindseth formerly from Plains All American Pipeline and PWC - 6 minute podcast
Operation SkyCloak represents a sophisticated cyber campaign targeting Russian and Belarusian military personnel through highly coordinated phishing attacks and advanced persistence mechanisms. This stealth-focused cyber operation was discovered in 2025 and specifically targets the defense industry across Russia and Belarus, with particular focus on Russian Airborne and Belarusian special operations communities.
The Operation SkyCloak campaign employs phishing lures disguised as official military correspondence to deploy multi-stage malware infections on Windows platforms. The attack infrastructure utilizes PowerShell scripts, Tor anonymization networks with obfs4 bridges, and hidden OpenSSH servers to establish covert command-and-control channels. The precision targeting and sophisticated anonymizing infrastructure suggest a calculated cyber intelligence operation designed to infiltrate defense networks while maintaining operational security and evading detection.
The Operation SkyCloak threat actors built a complex infection chain that conceals communications through obfs4 Tor bridges, executes decoy-laden payloads to avoid suspicion, and maintains persistent access via scheduled tasks and custom onion services. This cyber campaign demonstrates advanced tradecraft characteristic of state-sponsored or highly capable threat actors conducting espionage operations against military targets in Eastern Europe.
The Operation SkyCloak campaign begins with spearphishing attacks leveraging military-themed letters as social engineering lures to target Russian and Belarusian military personnel. The phishing artifacts include weaponized ZIP archives containing double-extension LNK shortcut files that appear legitimate to unsuspecting victims. These malicious shortcuts were created on machines identified as desktop-V7i6LHO and desktop-u4a2HgZ, suggesting specific staging infrastructure used by the Operation SkyCloak threat actors.
When victims interact with the malicious LNK files, PowerShell commands are automatically triggered to unpack a staged archive hidden within the system. A secondary archive is recovered from a FOUND.000 folder, which then drops multiple payload components including executable files, text documents, decoy PDF files, DLL libraries, and XML configuration files. This multi-stage deployment methodology supports the sophisticated infection chain that ultimately culminates in malicious script execution on compromised systems.
The Operation SkyCloak PowerShell stager performs comprehensive environmental reconnaissance and implements anti-sandbox checks to detect analysis environments and avoid security researchers. The stager enforces single-instance execution through mutex mechanisms to prevent detection through multiple concurrent processes. The malicious script parses XML configuration files to customize its behavior and installs scheduled tasks that ensure survival across system reboots, establishing persistent access to compromised military systems.
A critical component of the Operation SkyCloak attack chain involves constructing custom onion addresses for Tor-based command-and-control communications. The PowerShell stager waits for the local Tor process to become operational before issuing identification beacons to the attacker infrastructure. These beacons are implemented using curl tunneled through a Tor SOCKS listener, with robust retry logic designed to maximize communication reliability even under adverse network conditions. This approach demonstrates the threat actors’ preference for resilience and operational security over aggressive, easily-detected persistence mechanisms.
The Operation SkyCloak campaign utilizes two distinct OpenSSH server deployments to maintain covert remote access. The first SSH deployment listens on nonstandard port 20321 with password authentication completely disabled, implementing public-key-only authentication for hardened, stealth remote access. This configuration suggests sophisticated operational security practices designed to minimize the attack surface and avoid detection through network traffic analysis.
The second SSH setup in the Operation SkyCloak infrastructure runs under tor.exe and exposes multiple services through Tor onion services, leveraging obfs4 pluggable transport technology. The obfs4proxy functionality is implemented through binaries disguised as legitimate applications (confluence.exe or rider.exe), connecting to defined bridge endpoints identified by IP address, port number, fingerprint, and certificate parameters. Network flow analysis reveals bridge traffic originating from Russia and neighboring countries, with IP addresses classified as either Tor nodes or residential hosts showing minimal activity on the targeted ports.
The Operation SkyCloak cyber campaign represents a multi-chain, stealth-focused intrusion methodology that combines PowerShell scripting, OpenSSH remote administration, and Tor anonymization bridges to enable covert remote access and lateral movement capabilities. The targeting of defense and government-adjacent entities across Eastern Europe, combined with the sophisticated technical implementation, indicates this is likely an intelligence collection operation conducted by advanced threat actors with significant resources and cyber capabilities.
Organizations should ensure all operating systems and software components are fully updated with the latest security patches, with particular attention to PowerShell, Tor, and OpenSSH implementations that are exploited in Operation SkyCloak attacks. Attackers frequently exploit unpatched vulnerabilities in these components to gain initial footholds and maintain persistent access to compromised defense networks.
If PowerShell is not required for daily operational activities, organizations should disable or restrict its use through group policy configurations. This defensive measure helps block malicious PowerShell scripts that are fundamental to the Operation SkyCloak infection chain, preventing both initial compromise and persistence mechanisms employed by these threat actors.
Security teams must regularly review Windows Task Scheduler for unexpected or hidden scheduled tasks that may indicate Operation SkyCloak compromise. Attackers routinely create scheduled tasks to maintain persistent access even after system reboots, making continuous monitoring of these system components essential for detecting and remediating advanced threats.
Organizations should actively monitor for unusual folders such as dynamicUpdatingHashingScalingContext, logicpro, or reaper located under the %APPDATA% directory path. The presence of these directories may indicate Operation SkyCloak malware components or staging areas used by attackers to store tools and configuration files on compromised systems.
Personnel must be educated about phishing threats, particularly ZIP archives or LNK shortcut files with double extensions that are characteristic of Operation SkyCloak attacks. Users should be encouraged to report suspicious emails, attachments, or system behavior immediately to security teams, enabling rapid incident response to potential compromises.
Organizations should deploy next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions capable of identifying and blocking sophisticated malware like that used in Operation SkyCloak campaigns. These security tools should leverage behavioral analysis and machine learning-based detection techniques to identify suspicious activities that traditional signature-based antivirus cannot detect.
952f86861feeaf9821685cc203d67004, d246dfa9e274c644c5a9862350641bac, 8716989448bc88ba125aead800021db0, ae4f82f9733e0f71bb2a566a74eb055c, 32bdbf5c26e691cbbd451545bca52b56, 2731b3e8524e523a84dc7374ae29ac23, 39937e199b2377d1f212510f1f2f7653, 9242b49e9581fa7f2100bd9ad4385e8c, b61a80800a1021e9d0b1f5e8524c5708, b52dfb562c1093a87b78ffb6bfc78e07, 45b16a0b22c56e1b99649cca1045f500, dcdf4bb3b1e8ddb24ac4e7071abd1f65, e1a8daea05f25686c359db8fa3941e1d, b3382b6a44dc2cefdf242dc9f9bc9d84, 229afc52dccd655ec1a69a73369446dd, f6837c62aa71f044366ac53c60765739, 2599d1b1d6fe13002cb75b438d9b80c4, b7ae44ac55ba8acb527b984150c376e2, 0f6aaa52b05ab76020900a28afff9fff, 219e7d3b6ff68a36c8b03b116b405237, dfc78fe2c31613939b570ced5f38472c, 77bb74dd879914eea7817d252dbab1dc, f6c0304671c4485c04d4a1c7c8c8ed94, cdd065c52b96614dc880273f2872619f, 37e83a8fc0e4e6ea5dab38b0b20f953b, 6eafae19d2db29f70fa24a95cf71a19d, 664f09734b07659a6f75bca3866ae5e8, 23ad48b33d5a6a8252ed5cd38148dcb7, c8c41b7e02fc1d98a88f66c3451a081b
30a5df544f4a838f9c7ce34377ed2668e0ba22cc39d1e26b303781153808a2c4, a939d1edcc422772124a373be68b7cb38110639db8b1f4b5dca0b7e94b8399e3, e555083bdb62cf9df6aa7101908d9dbb89f55788ddab2e3288d57e48d43abd35, f8dc5e9747ca7ea00c88817472d273c570fec6899134f419cd1ae98235db1830, 99ec6437f74eec19e33c1a0b4ac8826bcc44848f87cd1a1c2b379fae9df62de9, f44fa352c430d5f34462143daa726660be9d1bd0666ab2f3672df47adde55986, 7269b4bc6b3036e5a2f8c2a7908a439202cee9c8b9e50b67c786c39f2500df8f, 0b9df542755298cd0b087681efbfaf91d35209966ff3bd8368ba65bcc0536a59, fdbb5d65ee611b35ccca6dd00ee0f9288dbaef8be9d8a247b067c8de3826759f, a250eb4fa9e270006defb04f5cc8eaa56bb016697f4e97739ca49d7d8ff3c11f, 949bc47d0cbbca0eeb73e18722fe2aa45c7681344bfa0e3bc9a7f9a4a8a88341, 51f02908ff27e270999ce9b796d92ec866d397aaf42af8b3eb2654463e1c53fd, 2f1a2fc130eeef678c44d2f1a43be64283b13db001b6facd9c1e7135672d88f5, 21ce085622d3ce447f36552290f2c22bc4bda5e176620a5683bc3ed995d10344, a68a72f845931408740870dbd3f0eac3b7acdbae3fdc8ea86aa8dfe48d351ce6, 0ff79b5a5af723654a6a6b8ce879a0aed2b009cee93dc9a8452b7dc7608f7aae, 710e8c96875d6a3c1b4f08f4b2094c800658551065b20ef3fd450b210dcc7b9a, 7946a2275c1c232eebed6ead95ea4723285950175586db1f95354b910b0a3cce, a0eed0e1ef8fc4129f630e6f68c29c357c717df0fe352961e92e7f8c93e5371b, feae0baf291ff54a1366f0cd628665d2b1c9fe279ce2544d4f84c7aa46064f3c, 08db5bb9812f49f9394fd724b9196c7dc2f61b5ba1644da65db95ab6e430c92b, 5d3a6340691840d1a87bfab543faec77b4a9d457991dd938834de820a99685f7, f889e06affd416bbbb49361639ab67e61ea9c5e989f87d5eeefd4fba5491c77a
IP:Port combinations associated with Operation SkyCloak command-and-control infrastructure: 77[.]20[.]116[.]133:8080, 156[.]67[.]24[.]239:33333, 146[.]59[.]116[.]226:50845, 142[.]189[.]114[.]119:443
yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd[.]onion
T1583 – Acquire Infrastructure: Operation SkyCloak threat actors acquired infrastructure including Tor bridges, onion services, and command-and-control servers to support their espionage operations against military targets.
T1566 – Phishing: The Operation SkyCloak campaign utilizes phishing emails with malicious attachments to gain initial access to target systems.
T1566.001 – Spearphishing Attachment: Weaponized ZIP archives containing LNK shortcuts disguised as military correspondence serve as the primary delivery mechanism for Operation SkyCloak malware.
T1204 – User Execution: Operation SkyCloak attacks require user interaction to execute the malicious LNK files that trigger the infection chain.
T1204.002 – Malicious File: Victims execute malicious files embedded within phishing attachments to initiate the Operation SkyCloak compromise sequence.
T1059 – Command and Scripting Interpreter: PowerShell scripts form the foundation of the Operation SkyCloak infection and persistence mechanisms.
T1059.001 – PowerShell: The campaign extensively leverages PowerShell for environmental reconnaissance, anti-sandbox checks, persistence installation, and command-and-control communications.
T1106 – Native API: Operation SkyCloak malware utilizes native Windows APIs to perform system operations and evade detection.
T1053 – Scheduled Task/Job: The Operation SkyCloak PowerShell stager creates scheduled tasks to maintain access across system reboots.
T1053.005 – Scheduled Task: Windows Task Scheduler is exploited to ensure persistent execution of malicious components even after victim systems restart.
T1547 – Boot or Logon Autostart Execution: Multiple persistence mechanisms ensure Operation SkyCloak malware executes automatically when compromised systems boot or users log in.
T1027 – Obfuscated Files or Information: Operation SkyCloak employs obfuscation techniques to conceal malicious code from security analysis and detection tools.
T1036 – Masquerading: Malicious binaries are disguised with names like confluence.exe and rider.exe to appear as legitimate applications and avoid suspicion.
T1497 – Virtualization/Sandbox Evasion: The PowerShell stager implements anti-sandbox checks to detect analysis environments and prevent security researchers from examining the malware behavior.
T1083 – File and Directory Discovery: Operation SkyCloak malware performs reconnaissance to identify files and directories of intelligence value on compromised military systems.
T1046 – Network Service Discovery: The campaign includes network scanning capabilities to identify additional targets and opportunities for lateral movement.
T1033 – System Owner/User Discovery: Environmental reconnaissance gathers information about system owners and users to support intelligence collection objectives.
T1021 – Remote Services: OpenSSH servers deployed by Operation SkyCloak enable remote administration and lateral movement across compromised defense networks.
T1119 – Automated Collection: The sophisticated infrastructure suggests automated collection capabilities for gathering intelligence from targeted military personnel.
T1071 – Application Layer Protocol: Operation SkyCloak utilizes standard application protocols like HTTP/HTTPS for command-and-control communications to blend with legitimate network traffic.
T1090 – Proxy: Tor networks and obfs4 bridges serve as proxy infrastructure to anonymize command-and-control communications and conceal attacker locations.
T1571 – Non-Standard Port: SSH services listening on port 20321 rather than the standard port 22 help Operation SkyCloak evade network security monitoring that focuses on default service ports.
T1041 – Exfiltration Over C2 Channel: Stolen intelligence is likely exfiltrated through the established Tor-based command-and-control channels, concealing data theft within encrypted traffic.
https://www.seqrite.com/blog/operation-skycloak-tor-campaign-targets-military-of-russia-belarus/
Get through updates and upcoming events, and more directly in your inbox
