Shadow Pipelines: Deconstructing Sandworm’s Sophisticated SSH-over-Tor Persistence Framework
In a striking evolution of cyber-espionage tradecraft, the state-sponsored actor known as Sandworm (also identified as APT-C-13 or FROZENBARENTS) has unveiled a highly resilient method for maintaining long-term, covert access within high-value networks. By weaving together SSH tunneling and the Tor network, the group has moved beyond simple backdoors toward a fully anonymized remote access framework designed to render traditional perimeter defenses obsolete.
Active since 2014, Sandworm has a well-documented history of targeting critical infrastructure, including government entities, energy sectors, and research institutions. This latest campaign, detailed by the 360 Advanced Threat Research Institute, demonstrates a level of stealth achieved through a sophisticated blend of encryption and traffic obfuscation.
The Infection Vector: LNK-Based Multi-Stage Payloads
The attack lifecycle begins with highly targeted spear-phishing. The initial entry point is typically a ZIP archive containing a malicious Windows Shortcut (.LNK) file. To the unsuspecting user, these files are meticulously crafted to mimic legitimate PDF documents, leveraging social engineering to bypass initial skepticism.
Once executed, the LNK file initiates a complex, multi-stage infection chain:
- Payload Extraction: The script pulls hidden payloads from deeply nested archives to avoid simple static analysis.
- PowerShell Orchestration: A PowerShell-based control script serves as the primary engine, deploying various components and establishing persistence.
- Deceptive Red Herrings: To minimize suspicion, the malware simultaneously displays a legitimate-looking decoy PDF, masking the background installation processes from the victim.

The Technical Core: Dual-Layer SSH-over-Tor Tunneling
The most alarming aspect of this campaign is the implementation of a dual-layer encrypted tunnel. This isn’t just a standard Command and Control (C2) connection; it is a method of exposing internal network services to the dark web.
The architecture operates on two distinct layers:
- The Tor Layer: The malware establishes a Tor hidden service (.onion domain). This allows the attacker to expose internal services—such as SMB (Port 445) or RDP (Port 3389)—directly to their own machine via the Tor network.
- The SSH Layer: Within that Tor tunnel, an SSH service is deployed. By utilizing public key authentication, Sandworm ensures that even if the tunnel is discovered, only the authorized attacker can establish a session.
Because the SSH service is configured to listen only on localhost, it remains invisible to external port scanners. The attacker connects to the hidden onion address, which then routes the traffic internally to the victim’s RDP or SMB service, effectively “punching a hole” through the firewall from the inside out.

Evasion and Anti-Analysis Proactive Measures
To ensure longevity, Sandworm has integrated several layers of evasion technology designed to defeat both automated sandboxes and human forensic analysts:
- Environmental Fingerprinting: Upon execution, the script undergoes strict sandbox and VM detection. Interestingly, it uses the number of
.lnkfiles on the system as a heuristic to determine if it is running in a real user environment. - Traffic Obfuscation: The group utilizes Obfs4, a pluggable transport that disguises Tor traffic as random-looking TCP data, making it significantly harder for Deep Packet Inspection (DPI) tools to flag the connection.
- Persistence via Impersonation: Persistence is maintained through scheduled tasks that are masqueraded as legitimate background processes, such as Opera GX or Dropbox.
- Mutex Controls: To avoid system instability and double-detection, the malware uses mutexes to ensure only a single instance of the infection is active at any given time.

Defensive Implications and Strategic Recommendations
This shift from traditional backdoors to fully anonymized, modular remote access frameworks poses a significant challenge to the “Castle and Moat” security model. When an attacker can wrap internal protocols in layers of Tor and SSH, the perimeter becomes largely irrelevant.
To mitigate the risk of similar highly-stealthy incursions, security operations centers (SOCs) should prioritize the following:
- Endpoint Detection and Response (EDR): Monitor closely for suspicious scheduled task creation, especially those mimicking known commercial software.
- Network Traffic Analysis (NTA): Look for the “heartbeat” of Tor-like traffic or unusual outbound connections to known Tor entry nodes, even if obfuscated.
- Internal Service Hardening: Implement strict controls on internal RDP and SMB traffic to ensure lateral movement is difficult even if a tunnel is established.
- Identity-Centric Security: Given the use of public key authentication in these tunnels, robust management of local service accounts and SSH keys is vital.
As Sandworm continues to refine its ability to embed internal services into the dark web, proactive threat hunting and a Zero Trust architecture are no longer optional—they are essential for survival in the modern threat landscape.