Executive Summary
In November 2025, a sophisticated cyber campaign dubbed 'Operation SkyCloak' was uncovered, targeting Russian and Belarusian defense sectors. Attackers distributed weaponized attachments via phishing emails, successfully implanting a persistent OpenSSH-based backdoor on compromised hosts. To conceal its activity, the malware leverages a customized Tor hidden service with obfs4 protocol, facilitating covert command-and-control and persistent unauthorized access. This campaign demonstrates advanced threat actor operational security, targeting high-value government and defense assets to enable espionage and data exfiltration.
The use of Tor-enabled backdoors in defense-related attacks is surging, marking a shift towards more covert, untraceable threat tactics. This incident exemplifies the growing adoption of anonymized infrastructure by attackers to evade detection, highlighting urgent requirements for east-west traffic inspection, advanced threat detection, and zero trust segmentation for critical sectors.
Why This Matters Now
The deployment of Tor-enabled OpenSSH backdoors targeting defense sectors shows adversaries are escalating efforts to evade traditional detection and persist within segmented environments. As covert malware tactics become more common, organizations must urgently bolster segmentation, encrypted traffic inspection, and anomaly detection to minimize risk of advanced, persistent attacks.
Attack Path Analysis
The attack initiated with weaponized phishing emails delivering malware to defense sector targets, resulting in initial compromise. Attackers likely leveraged the initial access to escalate privileges and establish persistent backdoors using OpenSSH. Once inside, they moved laterally across cloud workloads and regions, remaining covert through east-west traffic. Command and control was maintained via a Tor hidden service with obfs4, tunneling activity and evading detection. Exfiltration or further malicious actions used encrypted channels to siphon or stage sensitive data. The overall impact included long-term persistence, data theft risk, and possible disruption within critical defense cloud infrastructure.
Kill Chain Progression
Initial Compromise
Description
Phishing emails were used to deliver weaponized attachments, granting attackers initial access to cloud workloads targeted in the defense sector.
Related CVEs
CVE-2024-6387
CVSS 9.8A signal handler race condition in OpenSSH's sshd allows unauthenticated remote attackers to execute arbitrary code as root.
Affected Products:
OpenSSH OpenSSH – 8.5p1 to 9.7p1
Exploit Status:
exploited in the wildCVE-2025-26465
CVSS 7.5A man-in-the-middle vulnerability in OpenSSH allows attackers to intercept and modify SSH traffic.
Affected Products:
OpenSSH OpenSSH – 6.8p1 to 9.9p1
Exploit Status:
proof of conceptCVE-2025-26466
CVSS 7.5A pre-authentication denial-of-service vulnerability in OpenSSH allows remote attackers to cause excessive CPU and memory consumption.
Affected Products:
OpenSSH OpenSSH – 9.5p1 to 9.9p1
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Command and Scripting Interpreter
Account Manipulation
Server Software Component: Web Shell
Encrypted Channel: Non-Standard Port
Data Encoding: Non-Standard Encoding
Proxy: Multi-hop Proxy
User Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Email Controls
Control ID: 5.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Measures
Control ID: Art. 9(2)(c)
CISA Zero Trust Maturity Model 2.0 – User and Device Authentication
Control ID: Identity and Access Management
NIS2 Directive – Incident Handling Capabilities
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Defense/Space
Primary target of Operation SkyCloak's Tor-enabled OpenSSH backdoor campaign, creating persistent access vulnerabilities requiring enhanced east-west traffic security and threat detection capabilities.
Government Administration
High risk from phishing-delivered backdoors targeting Russian/Belarusian government systems, necessitating zero trust segmentation and encrypted traffic monitoring for lateral movement prevention.
Computer/Network Security
Critical infrastructure exposure to weaponized attachments and obfs4-enabled persistence mechanisms demands advanced anomaly detection and egress security policy enforcement across hybrid environments.
Information Technology/IT
Vulnerable to OpenSSH backdoor deployment through compromised systems, requiring multicloud visibility controls and Kubernetes security measures to prevent service-to-service lateral movement.
Sources
- Operation SkyCloak Deploys Tor-Enabled OpenSSH Backdoor Targeting Defense Sectorshttps://thehackernews.com/2025/11/operation-skycloak-deploys-tor-enabled.htmlVerified
- Security Advisory 2024-066https://cert.europa.eu/publications/security-advisories/2024-066/pdfVerified
- Qualys TRU Discovers Two Vulnerabilities in OpenSSH: CVE-2025-26465 & CVE-2025-26466https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust network segmentation, east-west traffic controls, egress policy enforcement, and deep threat detection would have impeded the attacker’s ability to gain lateral movement, establish covert C2, and exfiltrate data by limiting privilege scope, monitoring unusual flows, and enforcing granular policies across workloads and cloud estates.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of suspicious activity or malware execution.
Control: Zero Trust Segmentation
Mitigation: Limited blast radius for privilege escalation attempts.
Control: East-West Traffic Security
Mitigation: Detection and enforcement prevent unauthorized east-west pivots.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 channels are detected and/or blocked.
Control: Encrypted Traffic (HPE)
Mitigation: Visibility for encrypted data flows and detection of anomalous exfiltration.
Unified observability highlights persistent threats throughout cloud environments.
Impact at a Glance
Affected Business Functions
- Network Security
- Data Integrity
- Confidential Communications
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive defense-related information due to unauthorized remote access.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy zero trust segmentation and east-west traffic controls to reduce the lateral movement surface for attackers.
- • Enforce egress filtering and outbound policy to block C2 communications, especially to Tor/obfuscated endpoints.
- • Leverage runtime threat detection and anomaly response systems for rapid identification of suspicious behavior and persistence mechanisms.
- • Apply microsegmentation and least privilege principles to data and workloads to ensure compromise is contained.
- • Centralize multicloud visibility and control to enable rapid detection, containment, and remediation of backdoor and C2 activity in hybrid environments.
