In late 2023, Russian state-sponsored hacking group Sandworm (APT44), associated with Russia’s GRU, launched a sophisticated cyber-espionage campaign targeting Ukraine. The group exploited pirated Microsoft Key Management Service (KMS) activation tools to deploy malware such as the BACKORDER loader and Dark Crystal Remote Access Trojan (DcRAT). Sandworm’s campaign, which targeted Ukrainian Windows users, leveraged trojanized KMS tools and fake Windows updates to steal sensitive data and facilitate espionage activities. These malicious tools enabled large-scale attacks on Ukraine’s critical infrastructure and national security.
Ukraine’s high dependence on unlicensed software, particularly in the public sector, made it a prime target for Sandworm’s attacks. Many Ukrainian users, including government institutions and businesses, turn to pirated software due to economic constraints. Sandworm took advantage of this vulnerability by embedding malware into widely used pirated tools like KMS activators. Researchers discovered that malicious KMS tools, including “KMSAuto++x64_v1.8.4.zip,” were distributed through torrent platforms, disguised as legitimate Windows activation utilities.
Once executed, these tools displayed fake activation interfaces while secretly deploying malicious payloads. The BACKORDER loader was used to disable Windows Defender through PowerShell commands, creating exclusion rules, and then downloading the DcRAT malware from attacker-controlled domains. DcRAT was designed to exfiltrate data, including sensitive system information, screenshots, keystrokes, and saved passwords.
The malware also ensured persistence by creating scheduled tasks that allowed it to survive system reboots, further compromising the affected systems.
The campaign’s attribution to Sandworm is supported by several indicators, including shared infrastructure, tactics, and malware reuse. Russian-language build environments referenced in the malware samples, as well as domain typosquatting and WHOIS records tied to ProtonMail accounts, reinforce the connection to the group. This campaign highlights the strategic use of cyber operations in geopolitical conflicts, with Sandworm exploiting Ukraine’s software piracy issues as part of Russia’s broader hybrid warfare strategy. Experts advise organizations to avoid pirated software and implement robust cybersecurity measures such as endpoint detection and network monitoring to mitigate the risks posed by similar campaigns.
