Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor

Description

A sophisticated cyber attack targeting the defense sector was identified in October 2025, utilizing a weaponized ZIP archive disguised as a military document. The multi-stage attack employs advanced evasion techniques and deploys a complex infrastructure combining OpenSSH for Windows with a customized Tor hidden service. The malware establishes persistent backdoor access, allowing anonymous remote access via SSH, RDP, SFTP, and SMB protocols. The lure document targets Belarusian Air Force drone experts, suggesting intelligence gathering on regional UAV capabilities. The attack's tactics, techniques, and procedures align with those of Sandworm (APT44), a Russian-linked APT group, although definitive attribution remains uncertain at this stage.