Cyber-Espionage Attack Mimics Sandworm Hits Russian, Belarusian Forces
▼ Summary
– A spear-phishing campaign targeted Russian and Belarusian military personnel using military-themed documents as lures to deliver malicious files.
– Attackers used weaponized ZIP archives containing booby-trapped LNK files disguised as PDFs to initiate system compromise through PowerShell scripts.
– The malware establishes persistence, deploys OpenSSH for backdoor access, and creates Tor hidden services for remote control and data exfiltration.
– Security researchers identified similarities to previous Russian-linked campaigns but could not definitively attribute this attack to any specific group.
– Targets included Russian Airborne Forces and Belarusian Special Forces personnel specializing in drone operations.
A sophisticated spear-phishing operation has been uncovered targeting Russian and Belarusian military personnel, using weaponized documents disguised as legitimate military correspondence. Security firms Cyble and Seqrite identified this campaign, which delivers a malicious LNK file masquerading as a PDF to achieve full system control. The attack begins when targets download and open what appears to be a routine military document, triggering a multi-stage infection process.
The campaign, first detected in October 2025 by Cyble Research and Intelligence Labs, involved a ZIP archive containing a file named “ТЛГ на убытие на переподготовку.pdf.lnk” (TLG for departure for retraining.pdf). This Windows shortcut file launches PowerShell to execute a script designed to evade automated analysis environments. If the script determines it is not running in a sandbox, it proceeds to open a decoy PDF while simultaneously executing several malicious activities in the background.
The malware establishes persistence through a scheduled task mechanism and deploys a legitimate OpenSSH for Windows binary. This SSH service is configured to listen on port 20321 and is restricted to RSA key-based authentication, ensuring only the threat actor with the corresponding private key can access it. Additionally, the malware creates a Tor hidden service (.onion address) and sets up port forwarding for critical Windows services including RDP, SFTP, and SMB. This allows the attacker to gain full interactive desktop access, exfiltrate sensitive documents, deploy further malware, and attempt lateral movement within the network.
Seqrite Labs discovered another component of the same campaign, which used a different lure: a letter purportedly from an acting commander of a Russian military unit to the Chief of Russian Airborne Forces (VDV). This file, named “Исх №6626 Представление на назначение на воинскую должность.pdf.lnk” (Ref. No. 6626 Nomination for appointment to military position.pdf.lnk), follows an identical infection chain to compromise the target’s system.
The primary targets of this campaign were identified as military personnel in the Russian Airborne Forces and Belarusian Special Forces specializing in UAV (drone) operations. Researchers noted similarities between this operation and previous campaigns attributed to the Russian Sandworm team, which targeted Ukrainian entities. However, definitive attribution remains unclear at this stage. Cyble researchers highlighted these parallels but stopped short of assigning blame to any specific group.
Seqrite analysts pointed out that while Russian-linked threat actors like APT44 (Sandworm) and APT28 have historically used Tor for communication, this campaign featured custom configurations for pluggable transport and SSHD services. They also observed that pro-Ukraine advanced persistent threat groups Angry Likho (Sticky Werewolf) and Awaken Likho (Core Werewolf) have engaged in similar targeting, though the origin of this particular attack remains officially unattributed.
(Source: HelpNet Security)
