Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus

SEQRITE Labs documents a targeted espionage campaign (SkyCloak) observed in Oct 2025 that lures Russian and Belarusian military personnel with decoy nomination/training PDFs; a spearphishing ZIP contains LNKs that trigger PowerShell to extract a multi-stage payload which installs a user-profile OpenSSH server and a Tor instance (with obfs4 bridges) to expose SSH/SMB/RDP as onion hidden services for covert remote access. The report details anti-analysis checks, scheduled-task persistence, SSH/Tor configurations, bundled legitimate OpenSSH/LibreSSL binaries, observable Tor bridge endpoints, and a set of IOCs and MITRE ATT&CK mappings; attribution is tentative and scored with low confidence.