Analysis of Attack Activities Using SSH+TOR Tunnels to Achieve Covert Persistence
Essential information
- Published
- 29/04/2026 14:09
- Modified
- 30/04/2026 08:17
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- apt-c-13 obfs4 persistence mechanism sandworm scheduled tasks spearphishing ssh tunneling tor network
- Tags
- 2026-04-29 apt-c-13 obfs4 persistence mechanism sandworm scheduled tasks spearphishing ssh tunneling tor network
- Related entities
- 7 indicators, 7 observables, 1 intrusion sets (apt), 20 techniques (mitre), 9 others
Description
APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage operations. The organization recently deployed malicious campaigns using nested SSH and TOR tunnel infrastructure to establish covert remote access channels. Attackers distribute ZIP archives containing weaponized LNK files via spearphishing emails, which extract and execute payloads that create scheduled tasks disguised as legitimate software. The attack establishes dual-encrypted anonymous tunnels using obfs4 protocol to bypass deep packet inspection, while mapping sensitive ports (SMB/445, RDP/3389) to Onion domains for persistent backdoor access. The campaign leverages sophisticated anti-analysis techniques including sandbox detection, file disguise, and process masquerading to evade detection and maintain long-term unauthorized control over compromised systems for intelligence collection.