A Russian military cyber-espionage group known as Sandworm is attacking Windows users in Ukraine by spreading malware through trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
According to cybersecurity analysts at EclecticIQ, these attacks likely began in late 2023 and have been linked to Sandworm based on overlapping infrastructure, common hacking techniques, and the use of ProtonMail accounts to register malicious domains.
To infect victims, the hackers deploy a malware loader called BACKORDER, which then installs DarkCrystal RAT (DcRAT)—a remote access Trojan that has been used in previous Sandworm operations. Debug symbols found in the malware suggest it was built in a Russian-language environment, reinforcing the link to Russian military hackers.
Investigators identified seven malware distribution campaigns tied to the same operation, all using similar attack methods. On January 12, 2025, analysts observed the latest attacks using a typo-squatted domain to trick victims into downloading the malicious software.
Once installed, the fake KMS activator appears to activate Windows but secretly disables Windows Defender and launches a malware loader that installs the final DcRAT payload. This allows attackers to steal keystrokes, browser cookies, saved credentials, FTP logins, system details, and screenshots, sending all the stolen data back to their servers.
The widespread use of pirated software in Ukraine, including within government agencies, has likely made it easier for Sandworm to exploit users. Many individuals and businesses rely on unauthorized software activators, unknowingly opening the door to cyber threats.
“Many users, including businesses and critical entities, have turned to pirated software from untrusted sources, giving adversaries like Sandworm (APT44) a prime opportunity to embed malware in widely used programs,” EclecticIQ said.
Sandworm, also tracked as UAC-0113, APT44, and Seashell Blizzard, has been active since at least 2009. It operates as part of Military Unit 74455 of Russia’s Main Intelligence Directorate (GRU) and specializes in cyberattacks designed to disrupt and damage Ukraine’s infrastructure.
