Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/Threats/Sandworm Uses SSH-over-Tor for Stealthy, Long-Term Persistence
Threats

Sandworm Uses SSH-over-Tor for Stealthy, Long-Term Persistence

Key Takeaways The state-sponsored threat group Sandworm has deployed a sophisticated new campaign leveraging SSH and Tor for highly stealthy, long-term persistence within victim networks. Targets...

Jennifer sherman
Jennifer sherman
April 28, 2026 4 Min Read
50 0

Key Takeaways

  • The state-sponsored threat group Sandworm has deployed a sophisticated new campaign leveraging SSH and Tor for highly stealthy, long-term persistence within victim networks.
  • Targets include government, diplomatic, energy, and research sectors, with the primary objective of intelligence theft.
  • The attack initiates via spear-phishing emails containing a malicious ZIP archive that deploys a multi-component toolkit, including disguised OpenSSH and Tor servers.
  • This advanced method creates a double-encrypted, anonymous command-and-control channel, allowing attackers to bypass traditional network defenses and exfiltrate data undetected.
  • Defenders must implement enhanced email security, advanced endpoint detection, and robust network traffic analysis to counter these refined tactics.

Sandworm Elevates Persistence Tactics with SSH-over-Tor Tunnels

The notorious state-sponsored hacking collective Sandworm, also known by aliases such as APT-C-13 and FROZENBARENTS, has launched an advanced cyber espionage campaign. This operation marks a significant evolution in the group’s tradecraft, utilizing an intricate combination of SSH and Tor tunneling to establish deeply embedded, persistent access within targeted networks, effectively operating under the radar of conventional security measures.

Table Of Content

  • Key Takeaways
  • Sandworm Elevates Persistence Tactics with SSH-over-Tor Tunnels
  • Sandworm’s History of Espionage
  • Advanced Infiltration and Evasion Techniques
  • Execution Flow and Persistent Foothold
  • How Sandworm Achieved Persistent Hidden Access
  • What You Should Do

This latest campaign represents a strategic shift for Sandworm, moving beyond simpler malware callbacks to a highly anonymized, encrypted remote control infrastructure. This sophisticated setup is designed to maintain covert operations and exfiltrate sensitive data without triggering alerts from enterprise firewalls or network monitoring systems.

Sandworm’s History of Espionage

Active since at least 2014, Sandworm has consistently focused its efforts on acquiring political, military, and technological intelligence. Its historical targets predominantly include government entities, diplomatic missions, energy providers, and research institutions.

Advanced Infiltration and Evasion Techniques

In this recent offensive, Sandworm refined its intrusion methodologies by deploying dual-layer anonymous tunnels. These tunnels are meticulously engineered to mimic legitimate network traffic, allowing them to blend in and avoid detection.

The attack chain typically commences with a spear-phishing email. This email delivers a ZIP archive that, upon extraction, silently installs a suite of malicious tools. Simultaneously, a legitimate-looking decoy document is displayed to the unsuspecting victim, maintaining cover during the compromise.

Analysts at the 360 Advanced Threat Research Institute meticulously examined several malicious samples associated with this campaign. Their findings highlight Sandworm’s use of nested SSH and Tor tunneling to construct a double-encrypted, anonymous channel between the attacker’s infrastructure and the compromised host. This architecture grants the attackers unfettered access to victim systems, enabling them to extract sensitive information while circumventing standard traffic inspection tools and network alerts.

Execution Flow and Persistent Foothold

The initial malicious payload is contained within a ZIP archive named “Iskhod_7582_Predstavlenie_na_naznachenie.zip,” identified by the MD5 hash 2156c270ffe8e4b23b67efed191b9737. Inside this archive, Sandworm conceals a malicious LNK shortcut, cleverly disguised as a PDF document, alongside a deceptive folder named “$RECYCLE.BIN” designed to mimic the legitimate Windows Recycle Bin directory.

When a victim clicks the LNK file, the entire attack toolkit is silently deployed in the background. Concurrently, the genuine decoy PDF opens, distracting the user and preventing immediate suspicion of the ongoing installation.

The ultimate impact of this attack is severe. Once the toolkit is established, attackers achieve persistent control over the victim’s internal network. This control facilitates lateral movement, access to sensitive files, and remote desktop operations.

Crucially, local ports such as SMB (445) and RDP (3389) are mapped to a dark web Onion address. This configuration allows the attackers to connect from any global location via the Tor network, effectively bypassing all inbound firewall protections.

How Sandworm Achieved Persistent Hidden Access

The sophistication of Sandworm’s latest campaign is most evident in its method for embedding long-term access within compromised systems, utilizing tools disguised as benign applications.

Following the execution of the LNK file, a primary control script, “currentSessionTrigger,” is activated. This script first performs environmental checks, looking for at least 10 recent .lnk files and 50 or more active processes, a tactic likely designed to evade sandbox environments. If these checks are successful, the script registers two scheduled tasks: “OperagxRepairTask” and “DropboxRepairTask.” These tasks are deliberately hidden from the default Task Scheduler view, ensuring that the malicious payloads are launched automatically each time the user logs in.

These scheduled tasks initiate two disguised executables: “operagx.exe,” which is an OpenSSH daemon, and “dropbox.exe,” which functions as a Tor server. A third file, “safari.exe,” acts as an obfs4 traffic obfuscation plugin. This plugin transforms all Tor traffic into random TCP streams, a technique employed to bypass advanced enterprise firewalls and deep packet inspection systems. Additionally, “obsstudio.exe” serves as an SFTP server, facilitating covert file transfers. The SSH daemon is specifically configured to listen only on the local loopback port 20321, rendering it invisible to external network scans.

Upon the activation of the Tor service, a hidden .onion hostname is generated. The main control script then reads this hostname and transmits the victim’s identity details to a hardcoded command-and-control (C2) address: kvk46su7d2qi6g4n43syp4zbsf2rihnc6ztj77qtc2ojvewjqvqilnqd.onion. This communication is performed using ‘curl’ with aggressive retry settings, thereby establishing a permanent, encrypted, and highly resilient shadow control channel within the victim’s network.

What You Should Do

  • Regularly audit scheduled tasks on all endpoints for suspicious entries, especially those impersonating legitimate applications like web browsers or cloud storage services.
  • Configure network firewalls and intrusion detection/prevention systems to identify and block known Tor and obfs4 traffic patterns at the network perimeter.
  • Implement continuous security awareness training for all employees, emphasizing the dangers of opening ZIP attachments from unknown or unexpected senders, particularly those containing LNK shortcuts disguised as documents.
  • Deploy advanced endpoint detection and response (EDR) solutions capable of identifying unusual SSH server processes, especially those running from non-standard directories like AppData or utilizing non-default port configurations.
  • Maintain up-to-date threat intelligence feeds to stay informed about the latest Sandworm tactics, techniques, and procedures (TTPs).

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Popular PyPI Package Hacked to Inject Malicious Scripts

Next Post

Chinese-Backed Smishing Services Scale Credential Theft via OTT and SMS

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us