APT-C-13 Phishing Campaign: Multi-Stage LNK and Tor Tunneling Tactics

The global threat landscape in 2026 has been marked by a significant escalation in the sophistication of state-sponsored cyber-espionage. At the forefront of this evolution is the latest APT-C-13 Phishing Campaign, a highly orchestrated operation that has redefined the boundaries of stealthy persistence. Traditionally associated with the “Confucius” threat group, recent technical disclosures suggest a dramatic shift in their tactics, techniques, and procedures (TTPs), moving away from simplistic credential harvesters toward complex, multi-stage infection chains that weaponize legitimate privacy tools like Tor and SSH.

This latest campaign, detailed by security researchers on April 25, 2026, focuses on a multi-layered delivery mechanism that utilizes malicious LNK files embedded within ZIP archives. By leveraging the inherent trust users place in shortcut files and the widespread use of compressed archives in corporate communications, APT-C-13 has successfully bypassed traditional email gateway filters. However, the true innovation of this campaign lies not in the initial lure, but in the post-exploitation phase, where the group employs a recursive sandbox evasion technique and establishes a dual-layered communication tunnel that renders inbound firewalls effectively obsolete.

Anatomy of the APT-C-13 Phishing Campaign: The LNK Vector

The APT-C-13 Phishing Campaign begins with meticulously crafted spear-phishing emails. These emails often masquerade as urgent business communications, such as “Internal Policy Updates,” “Project Specifications,” or “Urgent Invoice Discrepancies.” The attachment is a ZIP archive, which contains the primary infection vector: a weaponized LNK (Windows Shortcut) file. While many modern security solutions flag executables (.exe) or scripts (.ps1), LNK files often fly under the radar because they are frequently used for legitimate administrative tasks.

Upon execution, the LNK file does not directly download a payload—a common trigger for behavioral analysis. Instead, it executes a series of obfuscated command-line instructions designed to locate “decoy” archives that have been surreptitiously placed in the user’s configuration directories (such as %AppData% or %LocalAppData%) during the initial extraction or through a secondary background process. This multi-stage approach ensures that the malicious intent is only revealed once the environment is deemed “safe” by the malware’s internal logic.

Recursive Decompression: Defeating the Sandbox

One of the most technically impressive aspects of the current APT-C-13 Phishing Campaign is its approach to sandbox evasion. Most automated sandboxes and threat emulation environments have a “timeout” or a “depth limit” when scanning archives. APT-C-13 exploits this by using a recursive search and decompression routine. The LNK file triggers a script that:

• Searches recursively through subdirectories for specific, innocuous-looking archives.
• Decompresses these archives multiple times (often four or five layers deep).
• Only extracts the final malicious components—a lightweight SSH server and a Tor client—to a specific, non-standard directory.

By forcing the system to perform repetitive, time-consuming decompression tasks across various file paths, the malware often outlasts the sandbox’s analysis window. If the sandbox fails to reach the final layer of the archive within its allocated three-to-five-minute cycle, it marks the file as “benign,” allowing the infection to proceed on the actual victim’s machine.

Establishing Stealth Persistence: The Scheduled Task Strategy

Once the components are successfully staged on the victim’s filesystem, the infection chain culminates in the creation of two specific scheduled tasks using the Windows Task Scheduler. These tasks are the pillars of the attacker’s persistence mechanism, ensuring that the backdoor remains active even after system reboots.

1. The TOR Task: This task launches a pre-configured Tor binary. Unlike typical botnets that use Tor for simple Command and Control (C2) heartbeats, APT-C-13 utilizes the HiddenServicePort feature. This essentially turns the victim’s machine into a “Hidden Service” (Onion site) on the Dark Web.
2. The SSH Task: This task deploys a lightweight, often custom-compiled SSH server. This server is configured to listen only on the local loopback interface (127.0.0.1). By binding the SSH server to the local interface, the attackers prevent it from being detected by external port scans while still allowing the Tor service to “see” and forward traffic to it.

The synergy between these two tasks creates a “Reverse Onion Tunnel.” The Tor task generates a unique .onion domain for each victim. The attacker can then connect to this domain from anywhere in the world, and the Tor network will route that connection directly to the victim’s local SSH server, bypassing any and all inbound firewall rules.

Weaponizing HiddenServicePort for RDP and SMB

The technical brilliance—and danger—of the APT-C-13 Phishing Campaign lies in how it handles internal network services. The torrc configuration file deployed by the attackers includes specific directives to map critical local ports to the Onion service. Specifically, the researchers identified the following mappings:

Example Tor Configuration (torrc):
HiddenServiceDir C:\Users\Public\Documents\tor\service_identity\
HiddenServicePort 3389 127.0.0.1:3389 (Remote Desktop Protocol)
HiddenServicePort 445 127.0.0.1:445 (Server Message Block / File Sharing)

By mapping port 3389 (RDP) and port 445 (SMB) to the Onion domain, the attackers can perform lateral movement and remote management with ease. Traditional security audits that monitor for “unauthorized RDP connections from the internet” will see nothing, because the RDP traffic is appearing to come from the local machine’s own 127.0.0.1 interface via the Tor proxy. This technique effectively “globalizes” the victim’s internal services without requiring the opening of a single port on the enterprise edge router.

The SSH Layer: Access Control and Encryption

To further secure their backdoor against discovery by other threat actors or blue teamers, APT-C-13 employs public-key authentication (PubkeyAuthentication) for the SSH server. During the infection process, the attackers’ public key is added to the authorized_keys file on the victim’s machine. This means that even if a security researcher discovers the local SSH server and the Onion address, they cannot gain access without the corresponding private key held by the APT-C-13 operators.

Furthermore, the group uses custom SSH Subsystem configurations. An SSH subsystem allows for the execution of specific binaries or scripts upon a successful login, bypassing the need for a traditional interactive shell. This can be used to run specialized data exfiltration tools or to proxy further traffic into the internal network without leaving the usual forensic footprints of a CMD or PowerShell session. The use of strong AES-256 encryption within the SSH tunnel, wrapped inside the multi-layered encryption of the Tor network, makes the traffic virtually impossible to inspect via traditional Deep Packet Inspection (DPI) tools.

Strategic Implications for Network Defense

The emergence of the APT-C-13 Phishing Campaign signals a move toward “Network-Agnostic” espionage. Historically, defenders relied on the concept of the “Trust Boundary”—the idea that the internal network is protected by a firewall that blocks unsolicited inbound traffic. APT-C-13’s use of Tor Hidden Services completely subverts this model. Since the connection is “outbound” from the victim’s machine to the Tor entry node, it is treated as legitimate web traffic by most firewalls.

This creates a permanent, encrypted, and anonymous bi-directional bridge. For a SOC (Security Operations Center), detecting this requires a shift in focus from inbound blocking to outbound behavioral analysis. The presence of Tor traffic within a corporate environment that does not explicitly require it should now be considered a High-Severity indicator of compromise.

Mitigation Strategies and Indicators of Compromise (IoCs)

Defending against the APT-C-13 Phishing Campaign requires a multi-faceted approach that addresses both the initial infection vector and the stealthy persistence mechanism. Organizations are encouraged to implement the following controls:

• Block Tor Exit and Entry Nodes: While the attackers use Tor for stealth, the initial connection to the Tor network must pass through known entry guards. Blocking these IPs at the perimeter can disrupt the tunnel.
• Monitor Scheduled Task Creation: Audit logs (Event ID 4698) should be closely monitored for the creation of tasks that execute binaries from AppData, ProgramData, or Users\Public directories.
• LNK File Restrictions: Consider implementing Group Policy Objects (GPOs) that restrict the execution of LNK files from compressed archives or downloaded folders.
• Endpoint Detection and Response (EDR): Deploy EDR solutions capable of detecting “Living off the Land” (LotL) techniques, such as the use of ssh.exe or tor.exe in unauthorized contexts.
• Network Traffic Analysis (NTA): Look for sustained, encrypted outbound connections on non-standard ports, which may indicate the presence of an active Tor circuit.

The APT-C-13 Phishing Campaign is a stark reminder that threat actors are constantly refining their craft to exploit the complexity of modern operating systems. By combining the “Old School” reliability of LNK phishing with “New School” techniques like Tor HiddenServicePort mapping and SSH public-key authentication, APT-C-13 has created a blueprint for persistent, undetectable access that will likely be mimicked by other groups in the years to come. Only through rigorous auditing of outbound traffic and a “Zero Trust” approach to internal services can organizations hope to mitigate the risks posed by such advanced persistent threats.