Operation SkyCloak: Tor Campaign Targets Military of Russia & Belarus

    Wednesday, November 5, 2025 In: Threat Research Print

    Date: 11/05/2025

    Severity: High

    Summary

    Our Labs team uncovered a campaign targeting military personnel in Russia and Belarus, particularly the Russian Airborne Forces and Belarusian Special Forces. The infection chain exposes multiple local services via Tor using obfs4 bridges, enabling anonymous communication through onion addresses. This blog examines the multi-stage PowerShell-based infection process, victim lures, and the use of hidden SSH services to maintain persistence. Several similar region-focused campaigns have emerged in 2025, including HollowQuill, which targeted Russian academic and defense-linked institutions. In July, a campaign dubbed CargoTalon targeted Russia’s aerospace and defense sectors, deploying the Eaglet implant with links to the HeadMare group. More recently, Operation MotorBeacon has focused on Russia’s automobile and e-commerce industries using the CAPI Backdoor.

    Indicators of Compromise (IOC) List

    IP Address : 

    77.20.116.133

    156.67.24.239 

    146.59.116.226 

    142.189.114.119

    Hash : 

    952f86861feeaf9821685cc203d67004

    d246dfa9e274c644c5a9862350641bac

    8716989448bc88ba125aead800021db0

    ae4f82f9733e0f71bb2a566a74eb055c

    32bdbf5c26e691cbbd451545bca52b56

    2731b3e8524e523a84dc7374ae29ac23

    39937e199b2377d1f212510f1f2f7653

    9242b49e9581fa7f2100bd9ad4385e8c

    b61a80800a1021e9d0b1f5e8524c5708

    b52dfb562c1093a87b78ffb6bfc78e07

    45b16a0b22c56e1b99649cca1045f500

    dcdf4bb3b1e8ddb24ac4e7071abd1f65

    e1a8daea05f25686c359db8fa3941e1d

    b3382b6a44dc2cefdf242dc9f9bc9d84

    229afc52dccd655ec1a69a73369446dd

    f6837c62aa71f044366ac53c60765739

    2599d1b1d6fe13002cb75b438d9b80c4

    b7ae44ac55ba8acb527b984150c376e2

    0f6aaa52b05ab76020900a28afff9fff

    219e7d3b6ff68a36c8b03b116b405237

    dfc78fe2c31613939b570ced5f38472c

    77bb74dd879914eea7817d252dbab1dc

    f6c0304671c4485c04d4a1c7c8c8ed94

    cdd065c52b96614dc880273f2872619f

    37e83a8fc0e4e6ea5dab38b0b20f953b

    6eafae19d2db29f70fa24a95cf71a19d

    664f09734b07659a6f75bca3866ae5e8

    6eafae19d2db29f70fa24a95cf71a19d

    23ad48b33d5a6a8252ed5cd38148dcb7

    c8c41b7e02fc1d98a88f66c3451a081b

    30a5df544f4a838f9c7ce34377ed2668e0ba22cc39d1e26b303781153808a2c4

    a939d1edcc422772124a373be68b7cb38110639db8b1f4b5dca0b7e94b8399e3

    e555083bdb62cf9df6aa7101908d9dbb89f55788ddab2e3288d57e48d43abd35

    f8dc5e9747ca7ea00c88817472d273c570fec6899134f419cd1ae98235db1830

    99ec6437f74eec19e33c1a0b4ac8826bcc44848f87cd1a1c2b379fae9df62de9

    f44fa352c430d5f34462143daa726660be9d1bd0666ab2f3672df47adde55986

    7269b4bc6b3036e5a2f8c2a7908a439202cee9c8b9e50b67c786c39f2500df8f

    0b9df542755298cd0b087681efbfaf91d35209966ff3bd8368ba65bcc0536a59

    fdbb5d65ee611b35ccca6dd00ee0f9288dbaef8be9d8a247b067c8de3826759f

    a250eb4fa9e270006defb04f5cc8eaa56bb016697f4e97739ca49d7d8ff3c11f

    949bc47d0cbbca0eeb73e18722fe2aa45c7681344bfa0e3bc9a7f9a4a8a88341

    51f02908ff27e270999ce9b796d92ec866d397aaf42af8b3eb2654463e1c53fd

    2f1a2fc130eeef678c44d2f1a43be64283b13db001b6facd9c1e7135672d88f5

    21ce085622d3ce447f36552290f2c22bc4bda5e176620a5683bc3ed995d10344

    a68a72f845931408740870dbd3f0eac3b7acdbae3fdc8ea86aa8dfe48d351ce6

    0ff79b5a5af723654a6a6b8ce879a0aed2b009cee93dc9a8452b7dc7608f7aae

    710e8c96875d6a3c1b4f08f4b2094c800658551065b20ef3fd450b210dcc7b9a

    7946a2275c1c232eebed6ead95ea4723285950175586db1f95354b910b0a3cce

    a0eed0e1ef8fc4129f630e6f68c29c357c717df0fe352961e92e7f8c93e5371b

    feae0baf291ff54a1366f0cd628665d2b1c9fe279ce2544d4f84c7aa46064f3c

    5d3a6340691840d1a87bfab543faec77b4a9d457991dd938834de820a99685f7

    f889e06affd416bbbb49361639ab67e61ea9c5e989f87d5eeefd4fba5491c77a

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query  1:

    dstipaddress IN ("77.20.116.133","156.67.24.239","146.59.116.226","142.189.114.119") or srcipaddress IN ("77.20.116.133","156.67.24.239","146.59.116.226","142.189.114.119") 

    Detection Query  2:

    md5hash IN ("f6c0304671c4485c04d4a1c7c8c8ed94","32bdbf5c26e691cbbd451545bca52b56","dcdf4bb3b1e8ddb24ac4e7071abd1f65","b61a80800a1021e9d0b1f5e8524c5708","d246dfa9e274c644c5a9862350641bac","ae4f82f9733e0f71bb2a566a74eb055c","952f86861feeaf9821685cc203d67004","b52dfb562c1093a87b78ffb6bfc78e07","664f09734b07659a6f75bca3866ae5e8","cdd065c52b96614dc880273f2872619f","45b16a0b22c56e1b99649cca1045f500","39937e199b2377d1f212510f1f2f7653","2731b3e8524e523a84dc7374ae29ac23","8716989448bc88ba125aead800021db0","9242b49e9581fa7f2100bd9ad4385e8c","e1a8daea05f25686c359db8fa3941e1d","b3382b6a44dc2cefdf242dc9f9bc9d84","229afc52dccd655ec1a69a73369446dd","f6837c62aa71f044366ac53c60765739","2599d1b1d6fe13002cb75b438d9b80c4","b7ae44ac55ba8acb527b984150c376e2","0f6aaa52b05ab76020900a28afff9fff","219e7d3b6ff68a36c8b03b116b405237","dfc78fe2c31613939b570ced5f38472c","77bb74dd879914eea7817d252dbab1dc","37e83a8fc0e4e6ea5dab38b0b20f953b","6eafae19d2db29f70fa24a95cf71a19d","23ad48b33d5a6a8252ed5cd38148dcb7","c8c41b7e02fc1d98a88f66c3451a081b")

    Detection Query  3:

    sha256hash IN ("2f1a2fc130eeef678c44d2f1a43be64283b13db001b6facd9c1e7135672d88f5","f8dc5e9747ca7ea00c88817472d273c570fec6899134f419cd1ae98235db1830","7269b4bc6b3036e5a2f8c2a7908a439202cee9c8b9e50b67c786c39f2500df8f","f44fa352c430d5f34462143daa726660be9d1bd0666ab2f3672df47adde55986","7946a2275c1c232eebed6ead95ea4723285950175586db1f95354b910b0a3cce","99ec6437f74eec19e33c1a0b4ac8826bcc44848f87cd1a1c2b379fae9df62de9","a250eb4fa9e270006defb04f5cc8eaa56bb016697f4e97739ca49d7d8ff3c11f","710e8c96875d6a3c1b4f08f4b2094c800658551065b20ef3fd450b210dcc7b9a","30a5df544f4a838f9c7ce34377ed2668e0ba22cc39d1e26b303781153808a2c4","949bc47d0cbbca0eeb73e18722fe2aa45c7681344bfa0e3bc9a7f9a4a8a88341","51f02908ff27e270999ce9b796d92ec866d397aaf42af8b3eb2654463e1c53fd","0b9df542755298cd0b087681efbfaf91d35209966ff3bd8368ba65bcc0536a59","21ce085622d3ce447f36552290f2c22bc4bda5e176620a5683bc3ed995d10344","a68a72f845931408740870dbd3f0eac3b7acdbae3fdc8ea86aa8dfe48d351ce6","0ff79b5a5af723654a6a6b8ce879a0aed2b009cee93dc9a8452b7dc7608f7aae","a0eed0e1ef8fc4129f630e6f68c29c357c717df0fe352961e92e7f8c93e5371b","feae0baf291ff54a1366f0cd628665d2b1c9fe279ce2544d4f84c7aa46064f3c","5d3a6340691840d1a87bfab543faec77b4a9d457991dd938834de820a99685f7","f889e06affd416bbbb49361639ab67e61ea9c5e989f87d5eeefd4fba5491c77a","a939d1edcc422772124a373be68b7cb38110639db8b1f4b5dca0b7e94b8399e3","e555083bdb62cf9df6aa7101908d9dbb89f55788ddab2e3288d57e48d43abd35","0b9df542755298cd0b087681efbfaf91d35209966ff3bd8368ba65bcc0536a59","fdbb5d65ee611b35ccca6dd00ee0f9288dbaef8be9d8a247b067c8de3826759f")

    Reference:    

    https://www.seqrite.com/blog/operation-skycloak-tor-campaign-targets-military-of-russia-belarus/


    Tags

    Threat ActorBackdoorSkyCloakRussiaBelarusobfs4 bridgeHollowQuillCargoTalonHeadMareCAPI BackdoorMotorBeaconDefense Industrial BaseEducationCritical Manufacturing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.