The notorious Russian military cyber-espionage group, Sandworm, has launched a sophisticated campaign targeting Ukrainian users through counterfeit Microsoft Key Management Service (KMS) activators and fraudulent Windows updates. EclecticIQ security researchers have identified seven distinct malware distribution campaigns beginning in late 2023.

The attacks utilize a BACKORDER loader to deploy DarkCrystal RAT (DcRAT) malware, a tool previously associated with Sandworm operations. The group’s attribution is supported by shared infrastructure, consistent tactical patterns, and the use of ProtonMail accounts for domain registration.

Attack Methodology:
– Fake KMS activation tools display convincing Windows interfaces
– Malware loader installation and Windows Defender deactivation
– DcRAT deployment for data extraction

The malware’s capabilities include:
– Keystroke logging
– Browser data theft (cookies, history, credentials)
– FTP credential harvesting
– System information collection
– Screenshot capture

The campaign exploits Ukraine’s widespread use of pirated software, particularly within government sectors, creating a significant security vulnerability. EclecticIQ warns that this tactic enables large-scale espionage and poses a direct threat to Ukraine’s national security and infrastructure.

Sandworm, also known as UAC-0113, APT44, or Seashell Blizzard, operates as part of Russia’s GRU Military Unit 74455 and has been active since 2009, primarily conducting destructive cyber operations against Ukrainian targets.