Russian hackers attack Ukrainians with Windows KMS activator and fake updates

The Sandworm cyber espionage group from Russia targeted at Ukrainian users Windows. It spreads trojans in KMS activators and fake updates

These attacks probably started in late 2023. Analysts EclecticIQ link them to the Sandworm hackers on the basis of infrastructure duplication, consistent tactics, methods and procedures, and frequent use of ProtonMail accounts to register domains used for attacks.

The attackers also used the BACKORDER downloader to deploy the DarkCrystal RAT (DcRAT) malware and «characters referring to the Russian-language build environment».

EclecticIQ identified seven malware distribution campaigns associated with the same cluster of malicious activity, each using similar lures and procedures. On January 12, 2025, analysts observed victims being infected with the DcRAT remote access trojan in a data-stealing attack using a domain with errors.

Once deployed on a victim’s device, the fake KMS activation tool recreates a fake Windows activation interface, installs a malware downloader, and disables Windows Defender in the background, after which the main RAT malware is downloaded.

The ultimate goal of the attacks is to collect confidential information from infected computers and transfer it to servers controlled by the attackers. The malware saves keystrokes, browser cookies, browser history, saved credentials, FTP passwords, system information, and screenshots.

Sandworm’s use of malicious Windows activators was likely driven by the huge potential for attacks due to the heavy use of pirated software in Ukraine, even in the government sector.

Sandworm (also known as UAC-0113, APT44, and Seashell Blizzard) is a hacker group that has been active since at least 2009 and is part of military unit 74455 of the Main Intelligence Directorate (GRU), Russia’s military intelligence agency. EclecticIQ’s report includes a detailed analysis of the attacks and the software.

Source: BleepingComputer