A sophisticated spear-phishing campaign targeted Russian and Belarusian military personnel, specifically those in the Russian Airborne Forces (VDV) and Belarusian Special Forces (UAV/drone operators). The attack employed weaponized LNK files disguised as military-themed PDFs (e.g., *‘ТЛГ на убытие на переподготовку.pdf.lnk’* and *‘Исх №6626 Представление на назначение на воинскую должность.pdf.lnk’*). Upon execution, the malware established persistence via scheduled tasks, deployed a hidden SSH service (port 20321) with RSA-key authentication for threat actor access, and created a Tor hidden service to exfiltrate data, enable RDP/SMB lateral movement, and maintain full interactive control over compromised systems. The campaign’s infrastructure and tactics—including custom Tor pluggable transports and SSHD configurations—mirrored those of Russian APT groups (e.g., Sandworm/APT44, APT28), though attribution remains unconfirmed. Researchers noted parallels to pro-Ukraine APTs (Angry Likho, Awaken Likho) but could not definitively link the operation. The attack’s focus on military units specializing in drones and airborne operations suggests strategic espionage or sabotage objectives, potentially threatening operational security, command-chain integrity, and classified intelligence. The use of Tor and encrypted channels indicates a high likelihood of sustained, undetected access to sensitive defense networks.
Source: https://www.helpnetsecurity.com/2025/11/03/russian-belarusian-military-spear-phishing/
TPRM report: https://www.rankiteo.com/company/free-russia-foundation
"id": "fre5832158110525",
"linkid": "free-russia-foundation",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': 'defense',
'location': 'Russia',
'name': 'Russian Airborne Forces (VDV)',
'type': 'military'},
{'industry': 'defense',
'location': 'Belarus',
'name': 'Belarusian Special Forces (UAV/drone '
'operations)',
'type': 'military'}],
'attack_vector': ['malicious LNK file (masquerading as PDF)',
'weaponized ZIP archive',
'PowerShell script execution',
'Tor hidden service',
'OpenSSH backdoor'],
'data_breach': {'data_exfiltration': ['via Tor hidden service',
'SFTP/RDP/SMB forwarding'],
'file_types_exposed': ['PDF (decoy)',
'LNK',
'PowerShell scripts'],
'personally_identifiable_information': ['military personnel '
'identities',
'potential '
'authentication '
'tokens'],
'sensitivity_of_data': 'high (military intelligence)',
'type_of_data_compromised': ['military correspondence',
'operational documents',
'potential credentials']},
'date_detected': 'October 2025',
'date_publicly_disclosed': 'October 2025',
'description': 'A spear-phishing campaign aimed to compromise Russian and '
'Belarusian military personnel by using military-themed '
'documents as a lure. The campaign used weaponized ZIP '
'archives containing LNK files masquerading as PDFs (e.g., '
"'ТЛГ на убытие на переподготовку.pdf.lnk' and 'Исх №6626 "
"Представление на назначение на воинскую должность.pdf.lnk'). "
'Upon execution, the LNK file launches PowerShell to establish '
'persistence, deploy OpenSSH for covert access, and create a '
'Tor hidden service for exfiltration and lateral movement. The '
'attack chain terminates if sandbox/automated analysis is '
'detected.',
'impact': {'brand_reputation_impact': ['potential reputational damage to '
'Russian/Belarusian military '
'cybersecurity posture'],
'data_compromised': ['military documents',
'potential operational intelligence',
'system credentials'],
'identity_theft_risk': ['military personnel credentials'],
'operational_impact': ['potential disruption of military '
'communications',
'compromise of UAV/drone operations '
'intelligence'],
'systems_affected': ['Windows systems of targeted military '
'personnel',
'RDP/SMB/SFTP services via Tor forwarding']},
'initial_access_broker': {'backdoors_established': ['OpenSSH service (port '
'20321, RSA key auth)',
'Tor hidden service with '
'port forwarding '
'(RDP/SFTP/SMB)',
'scheduled task '
'persistence'],
'entry_point': ['weaponized ZIP archive',
'malicious LNK file (PDF decoy)'],
'high_value_targets': ['Russian Airborne Forces '
'(VDV) personnel',
'Belarusian Special Forces '
'(UAV operators)']},
'investigation_status': 'ongoing (unattributed)',
'lessons_learned': ['Military personnel remain high-value targets for '
'spear-phishing campaigns using socially engineered '
'lures.',
'LNK files masquerading as PDFs continue to be effective '
'initial access vectors, especially in environments where '
'document sharing is routine.',
'Tor hidden services and OpenSSH backdoors enable '
'stealthy persistence and exfiltration, bypassing '
'traditional network defenses.',
'Sandbox evasion techniques (e.g., premature script '
'termination) highlight the need for behavioral analysis '
'in malware detection.',
'Cross-referencing TTPs with known APT groups (e.g., '
'Sandworm, Angry Likho) is critical for attribution but '
'may remain inconclusive.'],
'motivation': ['espionage',
'military intelligence gathering',
'potential sabotage'],
'post_incident_analysis': {'root_causes': ['Successful social engineering '
'exploiting military document '
'themes.',
'Lack of restrictions on LNK file '
'execution in high-security '
'environments.',
'Inadequate monitoring of '
'PowerShell script execution and '
'outbound Tor traffic.',
'Over-reliance on perimeter '
'defenses without behavioral '
'analysis for evasive malware.']},
'recommendations': ['Implement strict email filtering for LNK/shortcut files, '
'especially in military contexts.',
'Deploy endpoint detection and response (EDR) solutions '
'to monitor PowerShell script execution chains.',
'Restrict outbound Tor traffic and non-standard SSH ports '
'(e.g., 20321) in military networks.',
'Conduct regular red-team exercises simulating '
'military-themed spear-phishing lures.',
'Enforce multi-factor authentication (MFA) for all remote '
'access services (RDP, SSH, etc.).',
'Isolate high-value military systems from general-purpose '
'networks to limit lateral movement.',
'Provide targeted cybersecurity training for military '
'personnel on recognizing socially engineered military '
'documents.'],
'references': [{'date_accessed': 'October 2025',
'source': 'Cyble Research and Intelligence Labs (CRIL)'},
{'date_accessed': 'October 2025', 'source': 'Seqrite Labs'}],
'response': {'third_party_assistance': ['Cyble Research and Intelligence Labs '
'(CRIL)',
'Seqrite Labs']},
'title': 'Spear-phishing campaign targeting Russian and Belarusian military '
'personnel with weaponized LNK files',
'type': ['spear-phishing',
'malware deployment',
'persistent access',
'data exfiltration',
'lateral movement'],
'vulnerability_exploited': ['human error (social engineering)',
'LNK file execution',
'PowerShell script abuse']}