Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Sandworm Exploits Pirated Software to Attack

February 12, 2025
Reading Time: 2 mins read
in Alerts
AWS Console Vulnerabilities Expose IAM Users

In late 2023, Russian state-sponsored hacking group Sandworm (APT44), associated with Russia’s GRU, launched a sophisticated cyber-espionage campaign targeting Ukraine. The group exploited pirated Microsoft Key Management Service (KMS) activation tools to deploy malware such as the BACKORDER loader and Dark Crystal Remote Access Trojan (DcRAT). Sandworm’s campaign, which targeted Ukrainian Windows users, leveraged trojanized KMS tools and fake Windows updates to steal sensitive data and facilitate espionage activities. These malicious tools enabled large-scale attacks on Ukraine’s critical infrastructure and national security.

Ukraine’s high dependence on unlicensed software, particularly in the public sector, made it a prime target for Sandworm’s attacks. Many Ukrainian users, including government institutions and businesses, turn to pirated software due to economic constraints. Sandworm took advantage of this vulnerability by embedding malware into widely used pirated tools like KMS activators. Researchers discovered that malicious KMS tools, including “KMSAuto++x64_v1.8.4.zip,” were distributed through torrent platforms, disguised as legitimate Windows activation utilities.

Once executed, these tools displayed fake activation interfaces while secretly deploying malicious payloads. The BACKORDER loader was used to disable Windows Defender through PowerShell commands, creating exclusion rules, and then downloading the DcRAT malware from attacker-controlled domains. DcRAT was designed to exfiltrate data, including sensitive system information, screenshots, keystrokes, and saved passwords.

The malware also ensured persistence by creating scheduled tasks that allowed it to survive system reboots, further compromising the affected systems.

The campaign’s attribution to Sandworm is supported by several indicators, including shared infrastructure, tactics, and malware reuse. Russian-language build environments referenced in the malware samples, as well as domain typosquatting and WHOIS records tied to ProtonMail accounts, reinforce the connection to the group. This campaign highlights the strategic use of cyber operations in geopolitical conflicts, with Sandworm exploiting Ukraine’s software piracy issues as part of Russia’s broader hybrid warfare strategy. Experts advise organizations to avoid pirated software and implement robust cybersecurity measures such as endpoint detection and network monitoring to mitigate the risks posed by similar campaigns.

Reference:
  • Sandworm Hackers Target Ukraine With Pirated Key Management Service Tools
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityFebruary 2025
ADVERTISEMENT

Related Posts

FBI Seizes Multiple Game Piracy Sites

XORIndex Malware DPRK npm Attack

July 15, 2025
FBI Seizes Multiple Game Piracy Sites

NCC Urges Windows 11 Upgrade Cyber Defenses

July 15, 2025
FBI Seizes Multiple Game Piracy Sites

FBI Seizes Multiple Game Piracy Sites

July 15, 2025
Wing FTP Server RCE Flaw Exploited

WinRAR Zero-Day Exploit $80K on Dark Web

July 14, 2025
Wing FTP Server RCE Flaw Exploited

Google Gemini Flaw Hijacks Email Summaries

July 14, 2025
Wing FTP Server RCE Flaw Exploited

Wing FTP Server RCE Flaw Exploited

July 14, 2025

Latest Alerts

NCC Urges Windows 11 Upgrade Cyber Defenses

FBI Seizes Multiple Game Piracy Sites

XORIndex Malware DPRK npm Attack

WinRAR Zero-Day Exploit $80K on Dark Web

Google Gemini Flaw Hijacks Email Summaries

Wing FTP Server RCE Flaw Exploited

Subscribe to our newsletter

    Latest Incidents

    Elmo Impersonator Posts Antisemitic Content

    PET Imaging Phishing Attack Hits

    Louis Vuitton Data Breach Global Impact

    Supermarket Cyberattack Prompts Warning

    China Hacker Suspected in DC Law Firm Breach

    nius.de Cyberattack Leaks User Data

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial