Researchers from Cyble Research and Intelligence Labs have uncovered a sophisticated malware campaign targeting Belarusian military personnel involved in UAV operations, utilizing weaponized ZIP archives and advanced evasion techniques. The operation is linked to Russian threat actor Sandworm (APT44), employing stealthy communication channels such as Tor and OpenSSH for persistent espionage activities. #Sandworm #UAVOperations
Keypoints
- The campaign uses deception with military-themed ZIP archives containing malicious LNK files.
- Advanced anti-analysis and obfuscation techniques help evade detection and sandboxing.
- Persistent backdoors are maintained through scheduled tasks and encrypted communication channels.
- The malware leverages Tor hidden services with obfs4 transport to anonymize traffic.
- Similarities with previous Sandworm campaigns suggest ongoing espionage targeting Eastern European military sectors.