EXECUTIVE SUMMARY:
A targeted campaign is actively luring military personnel in the Russian Federation and the Republic of Belarus with convincing decoy documents that impersonate internal nomination and training communications. The operations objective appears to be the covert establishment of remote access channels and clandestine exfiltration paths by convincing victims to execute weaponized shortcut (LNK) attachments that begin the multi-stage infection chain.
The intrusion begins with a double-extension LNK inside a phishing ZIP that executes PowerShell; the PowerShell stager performs anti-analysis checks, extracts nested archives into user profile locations, and launches additional scripts and binaries. Persistence is achieved with hidden Windows scheduled-task XMLs that run payloads on user logon and on demand. Attackers deploy a self-contained OpenSSH stack inside the user profile and configure a local Tor client to expose services over onion addresses enabling remote administration and covert data channels through mapped hidden-service ports. A sample onion registration and bridge endpoints were observed as part of the configuration.
The operation illustrates a aiming to establish covert, persistent remote-access channels within defense-sector environments in Russia and Belarus. By combining layered deception, anti-analysis logic, embedded SSH over Tor and custom bridge infrastructure, the threat actor maintains a high degree of stealth. Although attribution remains low confidence, the campaigns nature is consistent with espionage activity targeting governmental and military organizations. Recipients in critical defense and allied sectors should treat this as an elevated risk and validate internal access logs, ensure hardened configurations of remote-services, and monitor for anomalous Tor-based communications.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Resource Development | T1583.005 | Acquire Infrastructure | Botnet |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| T1106 | Native API | — | |
| T1053.005 | Scheduled Task/Job | Scheduled Task | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027.010 | Obfuscated Files or Information | Command Obfuscation |
| T1036.003 | Masquerading | Rename Legitimate Utilities | |
| T1497.002 | Virtualization/Sandbox Evasion | User Activity Based Checks | |
| Discovery | T1083 | File and Directory Discovery | — |
| T1046 | Network Service Discovery | — | |
| T1033 | System Owner/User Discovery | — | |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol |
| Collection | T1119 | Automated Collection | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1090.002 | Proxy | External Proxy | |
| T1571 | Non-Standard Port | — | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details: