Summary:
The Russian military cyber-espionage group Sandworm (APT44), also tracked as UAC-0113 and Seashell Blizzard, has been actively targeting Windows users in Ukraine using trojanized Microsoft Key Management Service activators and fake Windows updates. These attacks, which likely began in late 2023, have been linked to Sandworm by EclecticIQ analysts based on overlapping infrastructure, the use of frequently seen Tactics, Techniques, and Procedures, and the registration of malicious domains using ProtonMail accounts—a known tactic of the group. The attackers utilize a malware loader known as BACKORDER to deploy DarkCrystal RAT, a remote access Trojan previously observed in Sandworm operations. Debug symbols in the malware’s code indicate a Russian-language build environment, further reinforcing the attribution to Russian military intelligence operatives.

EclecticIQ researchers identified seven distinct malware distribution campaigns that share similar lures and tactics. The most recent attack, observed on January 12, 2025, leveraged a typo-squatted domain to trick victims into downloading malware disguised as a legitimate Windows update. Once installed, the trojanized KMS activation tool presents a fake Windows activation interface while secretly disabling Windows Defender, executing a malware loader, and ultimately delivering the RAT payload. This allows the attackers to exfiltrate sensitive information, including keystrokes, browser cookies, saved credentials, FTP login details, system configurations, and screenshots, all of which are sent to attacker-controlled servers for further exploitation.

---

Security Officer Comments:
Sandworm’s reliance on malicious Windows activators is a strategic move, exploiting the widespread use of pirated software in Ukraine, particularly within government entities and critical infrastructure sectors. By embedding malware in widely used activation tools, the group gains access to a large number of compromised machines, enabling large-scale espionage, data theft, and potential network disruption. This tactic presents a significant national security risk to Ukraine, as it allows Russian intelligence to infiltrate sensitive systems and exfiltrate critical data. Sandworm, a unit of Russia’s GRU Military Unit 74455, has a long history of conducting cyber operations against Ukraine, often focusing on destructive attacks that aim to disrupt government, military, and private sector operations.

Suggested Corrections:

Organizations can make APT groups’ lives more difficult. Here’s how:

• Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
• Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
• Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
• Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

Link(s):
https://www.bleepingcomputer.com/ne...ploy-malicious-windows-activators-in-ukraine/

https://blog.eclecticiq.com/sandwor...activation-tools-in-cyber-espionage-campaigns