February 11, 2025 By Sergiu Gatlan
The Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
These attacks likely started in late 2023 and have now been linked by EclecticIQ threat analysts with Sandworm hackers based on overlapping infrastructure, consistent Tactics, Techniques and Procedures (TTPs), and frequently used ProtonMail accounts to register domains used in the attacks.
The attackers also used a BACKORDER loader to deploy DarkCrystal RAT (DcRAT) malware (used in previous Sandworm attacks) and debug symbols referencing a Russian-language build environment, further reinforcing the researchers' confidence that Russian military hackers were involved.
EclecticIQ identified seven malware distribution campaigns tied to the same malicious activity cluster, each using similar lures and TTPs. Most recently, on 12 January 2025, the analysts observed the attacks infecting victims with the DcRAT remote access Trojan in data exfiltration attacks using a typo-squatted domain.