Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related:cyberbivash.blogspot.com

LNK Exploit & OpenSSH-Over-Tor Backdoor Used in Covert Attack on Belarus Military — by CyberDudeBivash

By CyberDudeBivash · 01 Nov 2025 · cyberdudebivash.com · Intel on cyberbivash.blogspot.com

LinkedIn: ThreatWire cryptobivash.code.blog

APT ATTACK • LNK EXPLOIT • TOR C2 BACKDOOR

Situation: A new, highly-stealthy APT (Advanced Persistent Threat) campaign has been identified targeting the Belarus military. This is not a “smash and grab” ransomware attack; it is a sophisticated cyber-espionage campaign that combines two clever TTPs (Tactics, Techniques, and Procedures) to gain persistent, untraceable access.

This is a decision-grade brief for CISOs and SecOps leaders. The attackers are using malicious LNK files (a form of fileless malware) to bypass initial defenses. The payload is a modified OpenSSH server configured to run over the Tor network. This creates a fully anonymous, encrypted Command & Control (C2) channel that is invisible to most EDRs and firewalls.

TL;DR — This is a classic nation-state espionage play.

TTP 1 (Initial Access): A spear-phishing email contains a malicious `.LNK` file (a “shortcut”) disguised as a document. When clicked, it runs a hidden PowerShell script.
TTP 2 (Persistence & C2): The script downloads and installs a legitimate (but modified) OpenSSH server. This server is configured to run as a hidden service.
TTP 3 (Anonymity): The OpenSSH service is configured to *only* accept connections from a `.onion` (Tor) address. This means the attacker’s true IP is completely anonymous.
The Risk: Your EDR is likely configured to *trust* `ssh.exe` and `powershell.exe`. Your firewall is blind because it can’t block a single “bad IP” (Tor has thousands). This is a high-stealth EDR bypass.

Contents

Phase 1: The “LNK Exploit” (The Fileless Foothold)

The attack begins with a sophisticated spear-phishing email, likely targeting specific military personnel or government officials. The attachment is not a `.exe` or a `.docm`. It’s a `.LNK` file—a simple Windows shortcut.

This is a clever EDR bypass technique for several reasons:

User Trust: The `.LNK` file is disguised with a legitimate-looking icon (e.g., a Word document or PDF). The user thinks they are opening a file named “Urgent_Communique.pdf”.
Signature Evasion: The `.LNK` file itself is not “malware.” It’s a legitimate Windows object. This allows it to bypass many static antivirus scanners that are looking for known-bad file hashes.
Fileless Execution: The *real* power is in the “Target” field of the shortcut. Instead of pointing to a program, the attacker points it to `powershell.exe` and passes a long, obfuscated command.
Example: `C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -e JABj…[long base64 string]…`
The “Dropper”: When the user clicks the shortcut, they *run* this hidden PowerShell command. This is a “fileless” technique because the initial malicious script runs entirely in-memory. This script’s only job is to download the *real* payload (Stage 2) from a remote server and execute it.

Service Note: This is a classic Initial Access TTP. Our Adversary Simulation (Red Team) engagements at CyberDudeBivash use these exact techniques to test your human and technical defenses. If your EDR can’t block an LNK from spawning an obfuscated PowerShell command, you are vulnerable.
Book an Adversary Simulation (Red Team) →

Phase 2: The “OpenSSH-Over-Tor” Backdoor (The Anonymous C2)

This is the most brilliant part of the attack. The Stage 1 PowerShell script downloads and installs the Stage 2 payload: a modified copy of OpenSSH (the standard, trusted tool for secure remote access) and the Tor client.

This isn’t a “normal” RAT (Remote Access Trojan). This is a covert, persistent backdoor built from legitimate tools. This is a prime example of “Living off the Trusted Land” (LotL).

1. Why OpenSSH?

Attackers love OpenSSH because your security team *already trusts it*. Your EDR and firewall “allowlist” probably has a rule to permit `ssh.exe` and `sshd.exe` to run and communicate. The attacker installs their OpenSSH copy as a hidden Windows service, set to auto-start, ensuring their persistence.

2. Why Tor?

This is the masterstroke for anonymity. The attacker configures the OpenSSH server to run as a **Tor Onion Service** (`.onion` address). This means:

No Inbound Firewall Holes: The SSH service doesn’t open a port on your firewall. It makes an *outbound-only* connection to the Tor network. This bypasses all inbound firewall rules.
Total Attacker Anonymity: The attacker connects to their `.onion` address to access the backdoor. Their *real* IP address is completely obscured by the Tor network. They could be anywhere in the world.
No “Bad IP” to Block: Your threat intelligence feeds are useless. You can’t block the “attacker’s C2 IP” because there isn’t one. The C2 is a constantly moving target within the Tor network’s thousands of nodes.

The result is a fully encrypted, fully anonymous, persistent backdoor, running as a “trusted” service, that bypasses all but the most advanced network monitoring. This is a nation-state spy tool.

Why Your EDR and Firewall Are Blind to This Attack

This entire kill chain is designed to defeat modern, “Next-Gen” security stacks. It attacks the *assumptions* your security is built on.

Your Firewall Assumes: “I only need to block *inbound* connections.”
The Bypass: This attack is *outbound-only*. The compromised host *initiates* the connection to the Tor network. Most firewalls are configured to allow all outbound HTTPS/443 traffic, which is exactly what Tor traffic can look like.
Your ETESTDR Assumes: “I should trust `powershell.exe` and `ssh.exe`.”
The Bypass: This is a “Living off the Trusted Land” (LotL) attack. The EDR sees `explorer.exe` (the user) launch `powershell.exe` (trusted). It then sees PowerShell launch `ssh.exe` (trusted). Without an extremely high level of behavioral analysis, this chain of “trusted” processes is ignored.
Your Threat Intel Assumes: “I can block known-bad C2 IPs.”
The Bypass: The C2 is a `.onion` address. There is no static IP to block.

The Solution is Human-Led MDR: Your automated EDR *might* generate a low-level “behavioral” alert (e.g., “Powershell launched by LNK file”). Your 9-to-5 IT team will see this as “noise.”
Our 24/7 Managed Detection & Response (MDR) team at CyberDudeBivash is trained to hunt for *exactly* these TTPs. We see “PowerShell from LNK” + “New Service Creation” + “Outbound connection to known Tor node” and we don’t call it “noise.” We call it an active APT breach and initiate Incident Response in minutes.
Explore Our 24/7 Managed Detection & Response (MDR) →

The CyberDudeBivash 3-Layer Defense Plan

You cannot fight a layered attack with a single tool. You need a 3-layer defense: Harden, Hunt, and Respond.

Layer 1: Harden the Endpoint (The “Block”)

Stop the attack at Stage 1. Don’t let the LNK run.

Block LNKs: Configure your email gateway to *block* `.LNK` files (and `.zip` files containing them) entirely.
Harden PowerShell: Use Constrained Language Mode and enable script block logging and transcription.
Use AppLocker/WDAC: This is critical. Create a Windows Defender Application Control (WDAC) policy that *only* allows your *known, authorized* executables to run. This would block the attacker’s custom-compiled `ssh.exe` from ever launching.

Layer 2: Hunt the Behavior (The “Detect”)

You *must* assume they will get in. You need to find them. This requires a modern behavioral EDR and a 24/7 team to watch it.

Hunt for the LNK: Alert on `explorer.exe` (or `outlook.exe`) spawning `powershell.exe`. This is a classic TTP.
Hunt for the Service: Alert on *any* new Windows service creation, especially one with a suspicious name or path.
Hunt for Tor: This is your #1 signal. Block and alert on *all* outbound connections to known Tor entry nodes. No corporate workstation or server should *ever* be connecting to Tor.

Layer 3: Respond (The “Remediate”)

If you get an alert for Tor traffic, you are not “investigating.” You are in active Incident Response (IR).

Isolate: Immediately quarantine the host from the network.
Forensics: Acquire a full memory and disk image for digital forensics.
Eradicate: Identify and remove the malicious service, the LNK file, and any other attacker tools.
Recover: Re-image the machine. Rotate *all* credentials associated with that user and machine.

This is not a drill. If you see Tor traffic, call us. Our CyberDudeBivash 24/7 IR team is on standby. We will guide you through this exact “Isolate, Forensics, Eradicate, Recover” process to stop the breach before it becomes a headline.
Book Our 24/7 Incident Response Hotline →

Recommended by CyberDudeBivash (Partner Links)

You need a modern, behavioral-focused stack. Here’s what we recommend for this specific problem.

Kaspersky EDR
The core of your defense. Provides the behavioral analytics needed to catch the “LNK > PowerShell > Tor” chain.Edureka — CyberSec & PowerShell
Train your SecOps team on PowerShell hardening and Threat Hunting TTPs like this.TurboVPN
Secure your *legitimate* admin access. All your *real* SSH traffic should be inside a trusted VPN.

Alibaba Cloud (Global)
Host your “honeypot” and malware analysis sandboxes on isolated, secure cloud infra.AliExpress (Hardware Keys)
Use FIDO2/YubiKey-compatible keys for your *real* admin SSH sessions. Un-phishable.Rewardful
If you’re building a security product, run your partner program on Rewardful. We do.

CyberDudeBivash Services & Apps

We don’t just report on these threats. We hunt them. We are the expert team you call when a nation-state APT bypasses your tools. We find the blind spots.

Adversary Simulation (Red Team): We will simulate this *exact* LNK-to-Tor-C2 attack against your company to see if your EDR and team can detect it.
Managed Detection & Response (MDR): Our 24/7 SecOps team becomes your “human sensor,” hunting for these TTPs (like Tor traffic) in your logs.
Emergency Incident Response (IR): You see Tor traffic? You call us. Our 24/7 team will hunt the attacker and eradicate them.
PhishRadar AI — Our app to detect and block the initial LNK spear-phishing email.
SessionShield — Protects the admin/user sessions *after* the initial compromise.

Book an Adversary Simulation Explore 24/7 MDR & IR Services Subscribe to ThreatWire

FAQ

Q: What is a LNK exploit?
A: It’s not a “vulnerability” in LNK files themselves, but a *technique*. It leverages a legitimate Windows function (shortcuts) to execute malicious code (like PowerShell) in a “fileless” way that evades simple antivirus.

Q: How do I block Tor on my network?
A: The best way is at your firewall/proxy. Maintain an updated blocklist of all known Tor entry node IPs. A better, more robust way is to use an EDR (like Kaspersky EDR) that can identify Tor traffic *behaviorally* (via its “JA3/JARM” fingerprint) and block the *process* on the endpoint, regardless of the IP.

Q: My EDR is “Next-Gen AI”. Am I safe?
A: No. Not automatically. Your AI is only as good as its configuration. If it’s configured to “trust” PowerShell and “ignore” SSH, it will miss this. This attack is designed to look like “noise.” It takes a 24/7 human MDR team (like ours) to analyze that “noise” and identify it as an APT.

Q: We were just breached. What’s the *first* thing we do?
A: 1. Isolate the host(s) showing Tor traffic. 2. Do not turn it off (you will destroy the in-memory evidence). 3. Call our 24/7 Incident Response hotline immediately. We need to perform memory forensics *before* the attacker knows they’ve been spotted.

Next Reads

Affiliate Disclosure: We may earn commissions from partner links at no extra cost to you. These are tools we use and trust. Opinions are independent.

CyberDudeBivash — Global Cybersecurity Apps, Services & Threat Intelligence.

cyberdudebivash.com · cyberbivash.blogspot.com · cryptobivash.code.blog

#LNKexploit #TorBackdoor #OpenSSH #APT #Belarus #CyberDudeBivash #EDRBypass #RedTeam #MDR #FilelessMalware #ThreatHunting #IncidentResponse #CyberEspionage

Cyberdudebivash