ThreatCluster

Sandworm Leverages SSH-over-Tor for Covert Network Access

First seen 28 Apr 2026, 17:35 UTC GbhackersCybersecuritynews 89% similarity 73

Article Content

Browse articles
ThreatCluster

Sandworm (APT-C-13), a state-sponsored cyber threat group, has advanced its tactics by employing SSH-over-Tor tunneling to maintain long-term, covert access to targeted networks. This new technique represents a significant upgrade from previous methods, allowing for anonymous and encrypted communications. The group has historically targeted government entities, energy sectors, and research institutions since its inception in 2014. The attack typically initiates with spear-phishing campaigns to gain initial access. The full scope of the impact is still being assessed, but the shift in tactics indicates a more sophisticated approach to cyber espionage. Current reports suggest that this campaign is ongoing, with potential implications for national security and critical infrastructure. Specific tools and CVEs have not been disclosed in the articles, but the use of Tor suggests a focus on evasion and stealth.

Key Points: • Sandworm has adopted SSH-over-Tor tunneling for covert network access. • The group targets government, energy, and research sectors. • The attack begins with spear-phishing to gain initial access.

ThreatCluster AI

Timeline

2026-04-28
Sandworm's new SSH-over-Tor technique reported
Date unknown
Initial spear-phishing campaigns launched

Community

Browse all →