Russian Hackers Leverages Weaponized Microsoft Key Management Service (KMS) to Hack Windows Systems

In a calculated cyber-espionage campaign, the Russian state-sponsored hacking group Sandworm (APT44), linked to the GRU (Russia’s Main Intelligence Directorate), has been exploiting pirated Microsoft Key Management Service (KMS) activation tools to target Ukrainian Windows systems.

This operation, active since late 2023, employs trojanized KMS activators and fake Windows updates to deploy malware, including the BACKORDER loader and Dark Crystal Remote Access Trojan (DcRAT), enabling large-scale data theft and espionage.

Malware Infection Chain

The attack begins with a malicious ZIP file, “KMSAuto++x64_v1.8.4.zip,” distributed via torrent platforms frequented by users seeking to bypass Windows licensing restrictions.

Once executed, the tool mimics a legitimate Windows activation interface while secretly deploying the BACKORDER loader in the background.

This loader disables Windows Defender using PowerShell commands and employs Living Off the Land Binaries (LOLBINs) to evade detection.

It then downloads DcRAT from attacker-controlled domains, such as “kmsupdate2023[.]com.”

DcRAT enables attackers to exfiltrate sensitive data, including keystrokes, browser credentials, system information, and screenshots.

The malware also establishes persistence by creating scheduled tasks that ensure continued operation across system reboots or logoffs.

The campaign’s end goal is to collect critical intelligence from infected systems, posing significant security risks to individuals, organizations, and Ukraine’s critical infrastructure.

Strategic Exploitation of Pirated Software

Ukraine’s widespread use of unlicensed software estimated at 70% in the public sector has created fertile ground for such attacks.

Economic constraints often compel businesses and government entities to rely on pirated software, inadvertently expanding the attack surface for adversaries like Sandworm.

By embedding malware within widely used tools like KMS activators, Sandworm has successfully infiltrated both personal and institutional networks.

Researchers have strongly attributed this campaign to Sandworm based on overlapping infrastructure, consistent Tactics, Techniques, and Procedures (TTPs), and debug symbols referencing Russian-language build environments.

The group has also been linked to similar campaigns in the past, including phishing attacks targeting Ukraine’s critical infrastructure.

This operation underscores Russia’s broader hybrid warfare strategy, where cyber operations complement physical and economic pressures.

According to the SOC Prime, by targeting Ukraine’s reliance on pirated software, Sandworm not only compromises individual users but also threatens national security and resilience.

To counter such threats, cybersecurity experts recommend avoiding pirated software and implementing robust security measures such as endpoint detection tools and network monitoring systems.

Organizations are also urged to adopt proactive threat detection frameworks like those offered by platforms specializing in collective cyber defense.

The ongoing campaign highlights the evolving tactics of state-sponsored hacking groups like Sandworm and raises concerns about their potential global impact as they refine their methods in targeted regions like Ukraine.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free