Attack Activity Analysis Using SSH+TOR Tunnels for Covert Persistence
Essential information
- Published
- 28/04/2026 08:09
- Modified
- 29/04/2026 07:44
- Tags
- 2026-04-28 covert persistence frozenbarents obfs4 obfuscation sandworm scheduled tasks spear-phishing ssh tunneling tor hidden service
- Related entities
- 10 observables, 1 intrusion sets (apt), 19 techniques (mitre), 9 others
Description
APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage targeting government agencies, diplomatic departments, energy enterprises, and research organizations. Recently detected samples reveal the group's use of nested SSH and TOR tunnel architecture to establish covert communication channels. The attack begins with spear-phishing emails delivering malicious LNK files disguised as PDF documents. Upon execution, the payload deploys TOR hidden services mapping internal ports (SMB/445, RDP/3389) to onion domains, while SSH services with public key authentication provide encrypted remote access. The malware employs obfs4 protocol to obfuscate TOR traffic, evading deep packet inspection. Persistence is achieved through scheduled tasks masquerading as legitimate applications like Opera GX and Dropbox, establishing an anonymous shadow management infrastructure for sustained intelligence collection.