Sandworm APT Hackers Weaponize Microsoft KMS Activation Tools To Compromise Windows

In a sophisticated cyber-espionage operation, the Russian state-sponsored hacking group Sandworm (APT44), linked to the GRU (Russia’s Main Intelligence Directorate), has been exploiting pirated Microsoft Key Management Service (KMS) activation tools to target Ukrainian Windows users.

The campaign, which began in late 2023, leverages trojanized KMS activators and fake Windows updates to deploy malware, including the BACKORDER loader and Dark Crystal Remote Access Trojan (DcRAT).

These tools enable large-scale data theft and espionage, posing significant risks to Ukraine’s critical infrastructure and national security.

Exploiting Pirated Software as an Attack Vector

Ukraine’s high reliance on unlicensed software estimated at 70% in the public sector has created a fertile ground for such attacks.

Many users, including government institutions and businesses, turn to pirated software due to economic constraints.

Sandworm capitalizes on this vulnerability by embedding malware within widely used tools like KMS activators.

Researchers from EclecticIQ identified multiple campaigns distributing a trojanized file named “KMSAuto++x64_v1.8.4.zip” via torrent platforms, disguised as a legitimate Windows activation utility.

Upon execution, the malicious tool displays a fake Windows activation interface while secretly deploying the BACKORDER loader.

This loader disables Windows Defender by adding exclusion rules through PowerShell commands and then downloads DcRAT from attacker-controlled domains such as “kmsupdate2023[.]com.”

Once installed, DcRAT exfiltrates sensitive data, including screenshots, keystrokes, browser credentials, system information, and even saved credit card details.

The malware also establishes persistence by creating scheduled tasks that ensure its continued operation across system reboots.

Linking Sandworm to the Campaign

Multiple indicators strongly attribute this campaign to Sandworm.

These include overlapping infrastructure, shared tactics and techniques (TTPs), and the reuse of malware like BACKORDER and DcRAT.

Debug symbols in the malware samples reference Russian-language build environments, further confirming its origin.

Additionally, WHOIS records tied to ProtonMail accounts and typosquatted domains like “kms-win11-update[.]net” reinforce the connection.

This campaign underscores the strategic use of cyber operations in geopolitical conflicts.

By targeting Ukraine’s reliance on pirated software, Sandworm not only compromises individual users but also threatens government networks and critical infrastructure.

Such attacks align with Russia’s broader hybrid warfare strategy, where cyber operations complement physical and economic pressures.

Organizations are advised to avoid pirated software and implement robust cybersecurity measures such as endpoint detection tools and network monitoring systems.

Enhanced awareness of phishing tactics and regular software updates can also mitigate risks from similar campaigns.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free