Hackers Deploy SSH-Tor Backdoor Hidden in Weaponized ZIP Military Files

Quick Takeaways

1. In October 2025, Cyble uncovered a sophisticated cyberattack targeting defense personnel, using weaponized military documents to deploy an advanced SSH-Tor backdoor via a disguised ZIP archive.

2. The attack employs social engineering, nested ZIP archives, LNK files, and anti-analysis checks to evade detection and establish persistent, anonymous access to compromised systems.

3. The malware leverages OpenSSH and obfuscated Tor hidden services, enabling threat actors to control infected systems through SSH, RDP, SFTP, and SMB protocols; no secondary payloads were observed.

4. Attributed with moderate confidence to the Russian-linked Sandworm group (UAC-0125/APT44), this campaign demonstrates evolving, state-sponsored cyber espionage techniques aiming for long-term stealth and access.

The Issue

In October 2025, cybersecurity researchers at Cyble identified a highly sophisticated cyberattack targeting defense personnel, specifically those involved in unmanned aerial vehicle operations within the Special Operations Command. The attack cleverly disguises malicious documents as legitimate Belarusian military files, tricking recipients into opening ZIP archives labeled “ТЛГ на убытие на переподготовку.pdf.” Once opened, the malware employs advanced techniques such as nested archives, LNK files, and PowerShell scripts that detect and evade automated analysis environments, ensuring only real-use systems are compromised. The embedded malware uses OpenSSH for Windows and a customized Tor hidden service with obfuscation, granting the attackers anonymous access to sensitive protocols like SSH, RDP, and SFTP. Cyble’s investigations suggest that this operation is likely linked to the Russian-affiliated group Sandworm (UAC-0125/APT44), which has a storied history of targeting Ukrainian military and critical infrastructure. The attackers’ methodical approach, marked by familiar tactics from their December 2024 campaign, underscores their ongoing effort to refine covert operations, maintaining persistence on compromised systems through scheduled tasks and environmental checks designed to thwart detection and maintain long-term access.

This report is compiled by Cyble’s threat research team, who traced the origin, methodology, and intent behind this attack, revealing a calculated effort by a state-sponsored cyber espionage group to infiltrate high-security defense environments. The attack’s complexity—building on previous campaigns—illustrates a continuous pattern of evolving cyber-espionage strategies aimed at collecting intelligence on military operations, particularly focusing on drone technology and critical defense infrastructure. The researchers emphasize that these tactics are tailored to evade conventional detection systems, making the threat particularly concerning for national security and military cybersecurity defenses.

Risk Summary

The emergence of hackers deploying SSH-Tor backdoors through weaponized military documents embedded in ZIP files represents a severe threat to any business, as it exposes critical systems to covert infiltration, data breaches, and persistent espionage. When malicious actors disguise malicious code within seemingly innocuous files, they can systematically bypass security defenses, establish hidden backdoors using the SSH-Tor configuration, and facilitate undetected remote access to sensitive organizational data and infrastructure. This kind of attack not only jeopardizes intellectual property, financial information, and customer data but also risks significant reputation damage, regulatory non-compliance penalties, and operational disruptions. Any business that handles or exchanges files, especially those involving confidential or strategic information, must therefore remain vigilant against such tactics and reinforce their defenses against this sophisticated, evolving threat landscape.

Fix & Mitigation

Ensuring prompt remediation of threats like hackers delivering SSH-Tor backdoors through weaponized military documents contained in ZIP files is vital to prevent extensive breaches, data loss, and further exploitation of vulnerabilities within an organization’s critical infrastructure.

Detection

• Implement continuous monitoring to identify suspicious ZIP file uploads or downloads.
• Use advanced threat intelligence to flag known malicious signatures associated with military document payloads.

Containment

• Isolate affected systems immediately upon detection to prevent lateral movement.
• Disable network shares or access points that could facilitate spread.

Eradication

• Remove infected files and terminate malicious processes related to SSH-Tor backdoors.
• Conduct thorough malware scans using updated antivirus and anti-malware tools.

Recovery

• Restore affected systems from clean backups, ensuring they are free of malicious code.
• Re-establish secure configurations after verifying systems are free of threats.

Communication

• Notify relevant internal teams and, if necessary, external authorities or cybersecurity agencies.
• Document incident details and steps taken for transparency and future reference.

Prevention

• Strengthen email and web filtering to block malicious ZIP files and weaponized documents.
• Conduct regular staff training on recognizing and handling suspicious files.
• Keep all software, including security tools, patched and updated to mitigate known vulnerabilities.
• Enforce strict access controls and multi-factor authentication to minimize potential attack vectors.

Advance Your Cyber Knowledge

Discover cutting-edge developments in Emerging Tech and industry Insights.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource