EXECUTIVE SUMMARY:
A targeted campaign uses weaponized archive and document files posing as military-themed documents to deliver a stealthy backdoor onto Windows hosts. The attack begins with a compressed archive containing a crafted Office/RTF document that, when opened, triggers execution of a staged dropper. The dropper writes a native payload to disk, configures persistence, and installs a backdoor that provides an interactive remote shell over an anonymizing network transport. A key feature is use of an SSH-capable component combined with anonymized network tunneling, allowing remote interactive access while obscuring inbound connections. Affected systems are primarily Windows endpoints that process Office/RTF content and systems that accept SSH sessions for lateral access; the campaign also targets environments where individuals have access to military or defense-related document handling. Business impact ranges from long-term covert access and sensitive data exposure to operational compromise of administrative or operational systems, particularly in sectors handling defense-related material.
Analysis of the chain shows a multi-stage execution flow. The user opens a crafted document that either leverages embedded scripting or relies on user execution of an object to run a compact VBScript or similar dropper. That dropper uses built-in Windows HTTP download primitives to fetch a binary blob, writes it to a local path, and uses an autostart mechanism to achieve persistence. The native payload implements an interactive backdoor that supports SSH-style session handling and routes traffic over an anonymizing overlay, enabling remote shell access through an obfuscated channel. The backdoor employs runtime obfuscation and dynamic API resolution to reduce static detection — resolving Windows APIs at runtime instead of static imports — and encrypts sensitive communications and staged data with symmetric encryption for confidentiality. Notable TTPs include use of weaponized document lures, multi-stage downloading, runtime API obfuscation, anonymized C2 transport, and symmetric encryption of staged transfers.
Observed outcomes are sustained covert remote access and the ability to perform interactive command execution on compromised hosts via an SSH-capable backdoor tunneled over an anonymizing network. The campaign blends social-engineered delivery with multi-stage native payloads and anonymized C2 to reduce attribution and detection. The presence of runtime API resolving and payload obfuscation increases difficulty for static-detection tools, while use of encrypted transfer channels and anonymized routing hinders simple network-based detection and attribution. The attack fits the profile of targeted espionage and long-term access operations rather than opportunistic disruption: it emphasizes stealth, persistence, and flexible remote control. In the current landscape, this represents a continued trend where document-based vectors remain effective initial access mechanisms and backdoor tooling increasingly pairs standard remote-access protocols with anonymizing transports to combine convenience and stealth. The technical artifacts reported show consistent design choices aimed at minimizing forensic visibility while maximizing remote operator flexibility.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub Technique Name |
| Resource Development | T1588.002 | Obtain Capabilities | Tool |
| T1583.001 | Acquire Infrastructure | Domains | |
| T1587.001 | Develop Capabilities | Malware | |
| Initial Access | T1566.001 | Phishing | Spear phishing Attachment |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.005 | Command and Scripting Interpreter | Visual Basic | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027.010 | Obfuscated Files or Information | Command Obfuscation |
| T1036.005 | Masquerading | Match Legitimate Name or Location | |
| T1564.001 | Hide Artifacts | Hidden Files and Directories | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1082 | System Information Discovery | - |
| T1083 | File and Directory Discovery | - | |
| T1016 | System Network Configuration Discovery | - | |
| Collection | T1005 | Data from Local System | - |
| T1113 | Screen Capture | - | |
| T1560.001 | Archive Collected Data | Archive via Utility | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1102.002 | Web Service | Bidirectional Communication | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Initial Access | E1204 | User Execution |
| Execution | E1059 | Command and Scripting Interpreter |
| Persistence | F0012 | Registry Run Keys |
| F0013 | Scheduled Tasks | |
| Defense Evasion | E1027 | Obfuscated Files/Information |
| B0003 | Dynamic Analysis Evasion | |
| F0004 | Disable Security Tools | |
| Discovery | E1082 | System Information Discovery |
| Credential Access | E1055 | Process Injection |
| Collection | E1083 | File/Directory Discovery |
| E1113 | Screen Capture | |
| Lateral Movement | E1105 | Ingress Tool Transfer |
| Command & Control | B0031 | Domain Name Generation |
| C0002 | HTTP Communication | |
| Exfiltration | E1020 | Automated Exfiltration |
REFERENCES:
The following reports contain further technical details:
https://cyble.com/blog/weaponized-military-documents-deliver-backdoor/