Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Sandworm Exploits Pirated Software to Attack

February 12, 2025
Reading Time: 2 mins read
in Alerts
AWS Console Vulnerabilities Expose IAM Users

In late 2023, Russian state-sponsored hacking group Sandworm (APT44), associated with Russia’s GRU, launched a sophisticated cyber-espionage campaign targeting Ukraine. The group exploited pirated Microsoft Key Management Service (KMS) activation tools to deploy malware such as the BACKORDER loader and Dark Crystal Remote Access Trojan (DcRAT). Sandworm’s campaign, which targeted Ukrainian Windows users, leveraged trojanized KMS tools and fake Windows updates to steal sensitive data and facilitate espionage activities. These malicious tools enabled large-scale attacks on Ukraine’s critical infrastructure and national security.

Ukraine’s high dependence on unlicensed software, particularly in the public sector, made it a prime target for Sandworm’s attacks. Many Ukrainian users, including government institutions and businesses, turn to pirated software due to economic constraints. Sandworm took advantage of this vulnerability by embedding malware into widely used pirated tools like KMS activators. Researchers discovered that malicious KMS tools, including “KMSAuto++x64_v1.8.4.zip,” were distributed through torrent platforms, disguised as legitimate Windows activation utilities.

Once executed, these tools displayed fake activation interfaces while secretly deploying malicious payloads. The BACKORDER loader was used to disable Windows Defender through PowerShell commands, creating exclusion rules, and then downloading the DcRAT malware from attacker-controlled domains. DcRAT was designed to exfiltrate data, including sensitive system information, screenshots, keystrokes, and saved passwords.

The malware also ensured persistence by creating scheduled tasks that allowed it to survive system reboots, further compromising the affected systems.

The campaign’s attribution to Sandworm is supported by several indicators, including shared infrastructure, tactics, and malware reuse. Russian-language build environments referenced in the malware samples, as well as domain typosquatting and WHOIS records tied to ProtonMail accounts, reinforce the connection to the group. This campaign highlights the strategic use of cyber operations in geopolitical conflicts, with Sandworm exploiting Ukraine’s software piracy issues as part of Russia’s broader hybrid warfare strategy. Experts advise organizations to avoid pirated software and implement robust cybersecurity measures such as endpoint detection and network monitoring to mitigate the risks posed by similar campaigns.

Reference:
  • Sandworm Hackers Target Ukraine With Pirated Key Management Service Tools
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityFebruary 2025
ADVERTISEMENT

Related Posts

Glibc Flaw Gives Linux Root Access Risk

Mozilla Urgent Firefox Patch Fixes RCE Flaws

May 19, 2025
Fileless Remcos RAT Delivery Via LNK Files

ModiLoader Malware Targets Windows Users

May 19, 2025
Glibc Flaw Gives Linux Root Access Risk

Glibc Flaw Gives Linux Root Access Risk

May 19, 2025
Fileless Remcos RAT Delivery Via LNK Files

APT28 RoundPress Webmail Hack Steals Emails

May 16, 2025
Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

May 16, 2025
Fileless Remcos RAT Delivery Via LNK Files

Fileless Remcos RAT Delivery Via LNK Files

May 16, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial