2025-02-23 12:09:46 Pacfic
Russian Sandworm Group Targets Ukraine with Malicious KMS Activators - 11d
The Russian Sandworm group, a cyber-espionage unit with ties to the Russian military, is actively targeting Windows users in Ukraine. They are distributing malicious Microsoft Key Management Service (KMS) activators and fake Windows updates, compromising systems in the process. This campaign, which likely started in late 2023, showcases the ongoing cyber warfare efforts targeting Ukraine.
EclecticIQ threat analysts have linked these attacks to Sandworm based on overlapping infrastructure, consistent tactics, techniques, and procedures (TTPs), and the use of ProtonMail accounts to register domains used in the attacks. The attackers are also deploying a BACKORDER loader to deliver DarkCrystal RAT (DcRAT) malware. This malicious tool abuses legitimate Windows processes to evade detection, such as using `wmic` to add Microsoft Defender exclusions and `reg` to gather information about Defender's status, mimicking the behavior of legitimate KMS activators, while injecting malicious payloads onto compromised systems.
ImgSrc: blog.eclecticiq.com
References:
- @bleepingcomputer.com - BleepingComputer - The Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates. - 11d
- @BleepingComputer - Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates. - 11d
- www.bleepingcomputer.com - Russian military hackers deploy malicious Windows activators in Ukraine - 11d
- Know Your Adversary - EclecticIQ analysts presented a report on recent Sandworm campaign, where the threat actors used trojanized Microsoft KMS activation tools to deliver BACKORDER loader. - 11d
- EclecticIQ Blog - Sandworm APT Targets Ukrainian Users With Trojanized Microsoft KMS Activation Tools In Cyber Espionage Campaigns - 11d
- @youranonriots - Details about the malicious Microsoft KMS activation tools used in a recent Sandworm campaign. - 10d
- MSSP feed for Latest - Reports that attacks involving malicious Microsoft Key Management Service activators and bogus Windows updates have been deployed. - 10d
- Security Affairs - Report highlights that a Sandworm subgroup exploited trojanized Microsoft KMS activation tools. - 10d
- CISO2CISO.COM & CYBER SECURITY GROUP - Source: socprime.com – Author: Daryna Olyniychuk For over a decade, russia-backed Sandworm APT group (also tracked as UAC-0145, APT44) has consistently targeted Ukrainian organizations, with a - 10d
- www.microsoft.com - Details of the BadPilot operation conducted by the Sandworm subgroup, targeting critical organizations and governments. - 10d
- ciso2ciso.com - Sandworm APT Attacks Detection: russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine – Source: socprime.com - 10d
- securityonline.info - Discussion of the campaign, the methods used by the attackers and potential consequences. - 10d
- @BleepingComputer - A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubb - 10d
- @screaminggoat - Microsoft : Microsoft Threat Intelligence reports on a subgroup within Russian APT Seashell Blizzard (aka Sandworm, APT44) and their multiyear [sic] initial access operation (tracked as the "BadPilot - 10d
- socprime.com - Sandworm APT Attacks Detection: russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine - 9d
- Security Affairs - Microsoft Threat Intelligence has published research on a subgroup of the Russia-linked APT group Seashell Blizzard behind the global BadPilot campaign, which compromises infrastructure to support Rus - 9d