216.73.217.139

Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns

· Published 12/02/2025 00:24 · Modified 12/02/2025 09:07

Export JSON

Essential information

Published
12/02/2025 00:24
Modified
12/02/2025 09:07
Tags
2025-02-12 apt44 backorder backorder loader cyber espionage dark crystal rat dcrat gru kalambur kms activators software piracy ukraine
Related entities
35 observables, 1 intrusion sets (apt), 20 techniques (mitre), 4 malware, 4 others

Description

EclecticIQ analysts have identified a campaign by Sandworm () targeting Ukrainian Windows users. The group is leveraging pirated Microsoft Key Management Service (KMS) activators and fake Windows updates to deliver a new version of the , which ultimately deploys (). This enables data exfiltration and espionage activities. The campaign, likely ongoing since late 2023, exploits 's high rates, potentially compromising home users, businesses, and government networks. Multiple distribution campaigns have been observed, using similar lures and tactics. The attackers employ sophisticated techniques, including disabling Windows Defender, using Living Off the Land Binaries, and establishing persistence through scheduled tasks. The operation aligns with Russia's broader hybrid warfare strategy against .

External references