The Reveal Platform
Intel Name: Operation skycloak: tor campaign targets military of russia & belarus
Date of Scan: November 5, 2025
Impact: High
Summary: Our Labs team uncovered a campaign targeting military personnel in Russia and Belarus, particularly the Russian Airborne Forces and Belarusian Special Forces. The infection chain exposes multiple local services via Tor using obfs4 bridges, enabling anonymous communication through onion addresses. This blog examines the multi-stage PowerShell-based infection process, victim lures, and the use of hidden SSH services to maintain persistence. Several similar region-focused campaigns have emerged in 2025, including HollowQuill, which targeted Russian academic and defense-linked institutions. In July, a campaign dubbed CargoTalon targeted Russia’s aerospace and defense sectors, deploying the Eaglet implant with links to the HeadMare group. More recently, Operation MotorBeacon has focused on Russia’s automobile and e-commerce industries using the CAPI Backdoor.
