Sandworm cyberespionage group targets Ukrainian Windows users

The notorious Russian-backed cyberespionage group dubbed Sandworm targets Ukrainian Windows users. Reports revealed that the group tries to infect these users with trojanised Microsoft Key Management Service (KMS) activators via fake Windows updates.

Researchers suspect that these campaigns started in 2023. These attacks were initially linked to exploited ProtonMail accounts registering domains utilised in the attacks. Moreover, the threat actors also used a BACKORDER loader to deliver DarkCrystal RAT (DcRAT) malware and debug symbols referencing a Russian-language development environment.

These details could also prove some speculation about Sandworm as a Russian military-backed hacking group.

 

This new Sandworm cyber espionage operation uses several malware distribution tactics.

 

The Sandworm hacking group’s cyberespionage campaign has at least seven malware distribution operations, all with similar lures and TTPs. Researchers noticed attacks infecting victims with the DcRAT remote access Trojan in data exfiltration attacks utilising a typo-squatted domain.

Once installed on a victim’s device, the bogus KMS activation tool shows a fake Windows activation screen, installs the malware loader, and disables Windows Defender in the background before delivering the final RAT payload.

The attacks aim to harvest sensitive information from affected systems and exfiltrate them to attacker-controlled servers. The malware commonly steals keystrokes, browser cookies, browsing history, stored credentials, FTP credentials, system data, and screenshots.

The attackers’ use of malicious Windows activators was most likely driven by the enormous attack surface created by Ukraine’s widespread usage of unlicensed software, which also affects the country’s government sector.

Furthermore, many users, particularly enterprises and vital groups, have turned to untrusted sources for pirated software, giving threat actors a good opportunity to attach malware to commonly used products.

This method allows for large-scale espionage, data theft, and network compromise, which endangers Ukraine’s national security, key infrastructure, and private sector resilience.

Sandworm is a hacking group that has been active since at least 2009. Therefore, it is the leading hacking group aiding Russia in the ongoing geopolitical conflict with Ukraine. The war has been going on for years now, and hackers have contributed significantly to it to this day.