Vortex Werewolf Targets Organizations With Tor-Enabled RDP, SMB, SFTP, and SSH Backdoors

The emergence of Telegram‑centric phishing reflects a broader shift toward exploiting popular messaging platforms for credential harvesting. Attackers craft convincing login facades that capture phone numbers, verification codes, and even cloud passwords, then trigger the silent download of a malicious ZIP archive hosted on services like Dropbox. This approach sidesteps traditional email attachment filters and leverages the trust users place in familiar communication tools, making it especially effective against well‑trained personnel in government and defense sectors.

Technically, Vortex Werewolf executes a LNK‑initiated PowerShell chain that first validates the environment, aborting on virtual machines or low‑activity sandboxes. Upon passing these checks, it establishes persistence via scheduled tasks and deploys renamed binaries—photoshopexpress.exe for Tor, finalcutpro.exe for OpenSSH, and visualstudiocode.exe for obfs4proxy. The custom OpenSSH server runs with key‑only authentication, while the Tor hidden service, cloaked by obfs4 bridges, tunnels RDP, SMB, SFTP and SSH traffic. This layered obfuscation bypasses conventional firewall rules and provides attackers with a stealthy, long‑term foothold for lateral movement.

For defenders, the blend of social engineering and advanced network tunneling poses a dual detection challenge. Monitoring for anomalous Tor traffic, especially obfs4 patterns, and enforcing strict multi‑factor authentication on Telegram and cloud services can disrupt the initial breach. Hardening RDP and SMB endpoints, disabling unused services, and regularly auditing scheduled tasks help mitigate post‑compromise persistence. Sharing IOCs such as the listed SHA‑256 hashes across threat‑intel platforms accelerates collective response and reduces the window of exposure for organizations targeted by this sophisticated campaign.