Cyber Threat Landscape in Ukraine
The Sandworm group, a notorious Russian military cyber-espionage entity, has recently intensified its focus on Windows users in Ukraine. Their method of choice involves the distribution of trojanized Microsoft Key Management Service (KMS) activators and counterfeit Windows updates, a strategy that has raised significant alarm among cybersecurity experts.
According to threat analysts at EclecticIQ, these malicious activities appear to have commenced in late 2023. Through meticulous investigation, they have established a connection between these attacks and the Sandworm hackers, citing overlapping infrastructure, consistent Tactics, Techniques, and Procedures (TTPs), and the frequent use of ProtonMail accounts for domain registration as key indicators.
In their operations, the attackers have employed a BACKORDER loader to deploy DarkCrystal RAT (DcRAT) malware, a tool previously associated with Sandworm’s campaigns. The presence of debug symbols linked to a Russian-language build environment further solidifies the researchers’ assertion of Russian military involvement.
EclecticIQ has cataloged seven distinct malware distribution campaigns associated with this malicious activity cluster, each characterized by similar lures and TTPs. The most recent incident, observed on January 12, 2025, involved the deployment of the DcRAT remote access Trojan during data exfiltration attacks, utilizing a typo-squatted domain to ensnare unsuspecting victims.
Upon installation, the counterfeit KMS activation tool presents a deceptive Windows activation interface. In the background, it quietly installs the malware loader and disables Windows Defender, ultimately delivering the final RAT payload to the compromised device.
The overarching objective of these attacks is to harvest sensitive information from infected systems, which is then transmitted to servers controlled by the attackers. The malware is designed to capture keystrokes, browser cookies, browsing history, saved credentials, FTP credentials, system information, and even screenshots.
Sandworm’s choice to exploit malicious Windows activators is likely a strategic response to the extensive attack surface created by the widespread use of pirated software in Ukraine, a challenge that also affects the government sector. As noted by EclecticIQ, “Many users, including businesses and critical entities, have turned to pirated software from untrusted sources, giving adversaries like Sandworm (APT44) a prime opportunity to embed malware in widely used programs.”
This approach not only facilitates large-scale espionage and data theft but also poses a direct threat to Ukraine’s national security, critical infrastructure, and the resilience of its private sector.
Sandworm, also known by various designations such as UAC-0113, APT44, and Seashell Blizzard, has been active since at least 2009. This group operates under the auspices of Military Unit 74455 of the Main Intelligence Directorate (GRU), Russia’s military intelligence service, with a primary focus on executing disruptive and destructive attacks targeting Ukraine.
