Threat actors are using phishing emails with weaponized attachments to target the defense sector in Russia and Belarus. The campaign, dubbed Operation SkyCloak, deploys a persistent backdoor using OpenSSH and a customized Tor hidden service with obfs4 for traffic obfuscation. The phishing emails lure recipients with military document themes, leading them to unzip a hidden folder containing a second archive and a Windows shortcut (LNK) file. Opening this shortcut initiates a series of malicious actions. The initial dropper stage involves PowerShell commands that set off the infection chain. A key component of this malware is a PowerShell stager that conducts anti-analysis checks to avoid detection in sandbox environments. It ensures that there are at least ten recent LNK files and that the process count exceeds fifty before proceeding. If these conditions are met, it displays a decoy PDF and sets up persistence via a scheduled task named "githubdesktopMaintenance." This task runs a renamed version of "sshd.exe," enabling the establishment of an SSH service that restricts communication to pre-deployed authorized keys. The malware further creates a second scheduled task for a customized Tor binary, "pinterest.exe," which sets up a hidden service that communicates with an attacker-controlled .onion address. It also implements port forwarding for critical Windows services like RDP, SSH, and SMB, allowing the attacker to access system resources through the Tor network. Once connected, the malware exfiltrates system information and a unique .onion URL that identifies the compromised system, granting the attacker remote access. The campaign aligns with espionage activities linked to Eastern European actors targeting defense and government sectors. Security firms Cyble and Seqrite have noted tactical similarities with prior attacks by a group tracked as UAC-0125 by CERT-UA. The use of concealed Tor services allows attackers to maintain anonymity while controlling compromised systems entirely.