In October 2025, cybersecurity researchers at Cyble uncovered a sophisticated state-sponsored cyber espionage campaign targeting defense personnel, particularly those involved in unmanned aerial vehicle (UAV) operations within the Belarusian military. The attackers distributed weaponized ZIP archives masquerading as Belarusian military documents, which deployed an advanced multi-protocol SSH-Tor backdoor. This malware leverages OpenSSH for Windows combined with a customized Tor hidden service using obfs4 obfuscation, enabling anonymous and persistent access via SSH, RDP, SFTP, and SMB. The infection chain involves nested ZIP files and LNK file disguises with anti-analysis checks designed to evade sandbox detection. Attributed with moderate confidence to the Russian-linked UAC-0125/Sandworm (APT44) group, this campaign shows technical and tactical links to their December 2024 Army+ malware operations. The attackers employ advanced evasion, persistence via scheduled tasks, and pre-generated cryptographic keys, highlighting an ongoing evolution in targeted espionage against Eastern European military UAV capabilities.