{ "id": "0feac03f-eabb-40af-b681-844e2497b3f1", "created_at": "2026-04-06T00:18:53.419035Z", "updated_at": "2026-04-10T03:37:09.015859Z", "deleted_at": null, "sha1_hash": "630170c4c2f48b028bc15c5555abed7444c02eee", "title": "Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2140590, "plain_text": "Sandworm APT Targets Ukrainian Users with Trojanized\r\nMicrosoft KMS Activation Tools in Cyber Espionage Campaigns\r\nArchived: 2026-04-02 12:41:43 UTC\r\nExecutive Summary\r\nEclecticIQ analysts assess with high confidence that Sandworm (APT44) [1], a threat actor supporting Russia's\r\nMain Intelligence Directorate (GRU), is actively conducting a cyber espionage campaign against Ukrainian\r\nWindows users. Likely ongoing since late 2023, following Russia's invasion of Ukraine, Sandworm leverages\r\npirated Microsoft Key Management Service (KMS) activators and fake Windows updates to deliver a new version\r\nof BACKORDER [2], a loader previously associated with the group. BACKORDER ultimately deploys Dark\r\nCrystal RAT (DcRAT) [3], enabling attackers to exfiltrate sensitive data and conduct cyber espionage.\r\nMultiple pieces of evidence strongly link this campaign to Sandworm, also tracked by CERT-UA as UAC-0145\r\n[4], based on recurring use of ProtonMail accounts in WHOIS records, overlapping infrastructure, and consistent\r\nTactics, Techniques and Procedures (TTPs). Additionally, the reuse of BACKORDER, DcRAT, and TOR network\r\nmechanisms, along with debug symbols referencing a Russian-language build environment, further reinforce\r\nconfidence in Sandworm’s involvement.\r\nFigure 1 - Sandworm TTPs and malware in the EclecticIQ Threat Intelligence Platform.\r\nUkraine’s heavy reliance on cracked software, including in government institutions, creates a major attack surface.\r\nAccording to a public report [5], Microsoft has estimated that 70% of software in Ukraine’s state sector was\r\nunlicensed, a trend likely worsened by economic hardships from the ongoing war. Many users, including\r\nbusinesses and critical entities, have turned to pirated software from untrusted sources, giving adversaries like\r\nSandworm (APT44) a prime opportunity to embed malware in widely used programs. This tactic enables large-https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 1 of 24\n\nscale espionage, data theft, and network compromise, directly threatening Ukraine’s national security, critical\r\ninfrastructure, and private sector resilience.\r\nKMS Update Campaign: Trojanized KMS Activators Targeting Ukrainian Victims\r\nEclecticIQ analysts observed an password protected ZIP file titled “KMSAuto++x64_v1.8.4.zip” [6] uploaded to\r\nTorrent [7], that was Trojanized with BACKORDER loader. The threat actors disguised the file as a KMS\r\nactivation tool [8] to targeting users who wants to cracking Windows licensing requirements. According to a\r\nreport from Mandiant, another GRU-linked threat actor tracked as UNC4166, previously employed similar tactics\r\nagainst the Ukrainian government by using a trojanized Windows 10 operating system installer [9].\r\nFigure 2 - Torrent info of the malicious KMS Auto Tool.\r\nSince this initial case, EclecticIQ analysts have identified seven distinct malware distribution campaigns tied to\r\nthe same activity cluster, each employing similar lures and TTPs. On 12 January 2025, analysts observed the most\r\nrecent campaign using a typosquatted domain and slightly modified tactics to download and execute Dark Crystal\r\nRAT - a remote administration tool known for data exfiltration capabilities and previous use by Sandworm [10].\r\nBACKORDER Loader Deliverers Dark Crystal RAT (DcRAT)\r\nThe KMS activation tool displays a fake Windows activation interface upon execution. Meanwhile, the threat\r\nactor’s GO-based loader BACKORDER initializes in the background, enabling malicious operations to proceed\r\nundetected against Windows Defender.\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 2 of 24\n\nFigure 3 - Execution of Trojanized KMS Auto Tool.\r\nBACKORDER loader disables Windows Defender and adds exclusion rules to certain folders via powershell.exe -\r\nCommand Add-MpPreference –ExclusionPath \u003cFolder-Path\u003e command, preparing the victim’s system for the\r\nfinal DcRAT payload.\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 3 of 24\n\nFigure 4 - Disassembled BACKORDER Loader.\r\nThe BACKORDER loader variant uses multiple Living Off the Land Binaries (LOLBAS/LOLBIN) during\r\ndefence evasion process to ensure successful system infection. Figure 5 illustrates the LOLBAS/LOLBIN\r\ntechniques utilized by the loader:\r\nFigure 5 - List of LOLBAS/LOLBIN used by the BACKORDER Loader.\r\nBased on the disassembled code, function main_convert_B64_to_Str() was responsible for retrieving and\r\ndecoding the Base64-encoded domain string, ultimately revealing the static URL\r\nkmsupdate2023[.]com/kms2023.zip. The payload name kms2023 is not obfuscated and appears in the .data\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 4 of 24\n\nsection of the Portable Executable (PE) file. This section typically stores initialized global and static variables,\r\nindicating that the malware stores the payload name in plaintext within this segment.\r\nAfter decoding the Base64, another function main_get_zip()downloads the heavily obfuscated DcRAT malware\r\nfrom the decoded URL and executes the payload. It then stores the malicious file at\r\n\\AppData\\Roaming\\kms2023\\kms2023.exe and saves an additional copy into \\AppData\\Local\\staticfile.exe.\r\nFigure 6 - Base64 encoded URL inside the disassembled BACKORDER Loader.\r\nOnce infected, DcRAT kms2023.exe [11] establishes a remote connection to the command-and-control server\r\nonedrivepack[.]com/pipe_RequestPollUpdateProcessAuthwordpress.php, that is very likely operated by the threat\r\nactor. The DcRAT malware exfiltrates the following details from the victim´s computer to the attacker-controlled\r\ncommand and control server:\r\nScreenshot of the device\r\nThe victim’s keystrokes\r\nBrowser cookies, history and saved credentials\r\nCredentials from popular FTP applications\r\nSystem information such as hostname, usernames, language preference settings, and installed applications\r\nSaved credit card details\r\nUsing Scheduled Tasks to Maintain Access\r\nEclecticIQ analysts observed that the DcRAT sample created multiple scheduled tasks to maintain persistent\r\naccess on the victim’s device by regularly launching the malicious payload. The malware used the Windows built-in binary schtasks.exe to register two different scheduled tasks named as staticfiles and staticfile and executed\r\nstaticfile.exe with elevated privileges from C:\\Users\\Admin\\AppData\\Local. This tactic ensures the adversary\r\nretains a foothold on the system, allowing malicious operations to continue even after reboots or user logoffs.\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 5 of 24\n\nFigure 7 - Scheduled tasks for persistent access on a victim’s device.\r\nRussian-Language Comments and Debug Symbol Expose Likely Russian Origin\r\nOn 25 November 2024, EclecticIQ analysts detected another trojanized KMS activation lure uploaded to\r\nVirusTotal from Ukraine [12], using tactics consistent with prior campaigns of BACKORDER loader.\r\nThe malware sample was compiled as a 64-bit Python 3.13 application via PyInstaller, this sample contained\r\ndebug paths and Russian-language comments, signaling likely Russian origins. The malicious KMS activator\r\ndownloads and executes a second-stage payload upon execution.\r\nCloser analysis revealed that the fake activator deploys a Python code main.py alongside two scripts—\r\nFunctions.py and Functions_2.py—to perform various tasks. These scripts:\r\nDisable Windows security features\r\nLoad the malware\r\nEstablish persistence through scheduled tasks\r\nIn Functions.py :\r\nFigure 8 – Russian language comments inside the source code.\r\nEnglish translations:\r\n“We will change the working directory to the script directory”\r\n“We will change back to the working directory”\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 6 of 24\n\nIn Functions_2.py:\r\nFigure 9 - Russian language print output inside the source code.\r\nEnglish translation:\r\n“Permission error while creating file: {target_file_path}”\r\nFunctions.py downloads a ZIP file with Windows Office activation scripts from a GitHub repository and extracts\r\nthem into %LOCALAPPDATA%\\Microsoft-Activation-Scripts. It then displays a user interface for the victim.\r\nFunctions_2.py further preps the system by disabling Defender scans, stopping Windows Updates, and\r\nestablishing persistence through a scheduled task. As part of this process, it copies malicious DLLs (e.g., Runtime\r\nBroker.dll, stream.x86.x.dll) into the same Microsoft-Activation-Scripts directory. This defense evasion technique\r\nis also used by the BACKORDER loader sample.\r\nFigure 10 - Microsoft Defender exclusion function very similar to previous campaign of BACKORDER.\r\nThe script creates a scheduled task named OneDrive Reporting Task-S-1-6-91-2656291417-2341898128-\r\n2085478365-1000. Each time the user logs in, Windows runs:\r\nrundll32.exe %LOCALAPPDATA%\\Microsoft-Activation-Scripts\\stream.x86.x.dll,ExportedFunction\r\nAnalysts assess with medium confidence that the dropped malicious DLL file, Runtime Broker.dll [13], is very\r\nlikely a new version of BACKORDER loader, developed in GO Language and designed to download and execute\r\nsecond stage malware from the remote host https://activationsmicrosoft[.]com/activationsmicrosoft.php. Since the\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 7 of 24\n\ntime of writing, analysts have been unable to obtain the second-stage malware due to shutdown of the attacker\r\ncontrolled remote server.\r\nFigure 11 - URL for downloading second stage payload.\r\nOne of the most revealing mistakes was the actor’s failure to remove debug symbols from the binary, which\r\nexposed the original build location and file name New_dropper.go:\r\nFigure 12 - Debug symbol remnants in the new version of the BACKORDER loader.\r\nThe IEUser reference matches Microsoft’s previously provided test virtual machines (VMs), suggesting the threat\r\nactor compiled the malware on this default user account.\r\nShared Registrars and Emails Connect Multiple Malicious Domains to the Same\r\nThreat Cluster\r\nThe onedrivestandalone.php URL path on the kmsupdate2023[.]com C2 domain links to a broader malware-delivery campaign. Analysts pivoted from this indicator to uncover multiple additional C2 servers, each using a\r\n“KMS activation” lure, suggesting they are very likely part of the same operation. Figure 13 in the EclecticIQ\r\nThreat Intelligence Platform’s graph view highlights several more domains tied to this campaign, reinforcing its\r\nscale and coordinated infrastructure very likely used by Sandworm members.\r\nFigure 13 - Graph view of the domain pivoting and WHOIS details.\r\nRegistrar and Emails:\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 8 of 24\n\nFour of the domains (windowsupdatesystem[.]org, kms-win11-update[.]net, kalambur[.]net, and\r\nratiborus2023[.]com, kmsupdate2023[.]com)share the same registrar, PDR Ltd. d/b/a\r\nPublicDomainRegistry.com,\r\nTwo registrant emails appear multiple times:\r\nemail: inekawaki@proton[.]me\r\nemail: asmohamed2030@protonmail[.]com\r\nonedrivestandaloneupdater[.]com, is registered with GMO Internet, Inc. and uses the email:\r\nemail: repgoti@proton[.]me\r\nFrom these WHOIS records, analysts identified several shared characteristics:\r\nConsistent abuse of Cloudflare nameservers\r\nRecurrent proton.me and protonmail.com registrant email addresses\r\nOverlapping registrars, predominantly PDR Ltd. and GMO Internet, Inc.\r\nCreation dates clustered between late 2023 and late 2024\r\nKalambur: Analysts Discovered New RDP Backdoor Disguised as Windows\r\nUpdate, Leverages TOR for Stealth\r\nEclecticIQ analysts observed a new backdoor following the domain pivot. In this case, the threat actor used a\r\ndomain kalambur[.]net to download a Microsoft Windows Update-themed RDP backdoor. Analysts named this\r\nmalware as Kalambur (каламбур) based on the file and domain name chosen by the attacker. In Russian (and\r\nsome other Slavic languages), «каламбур» (kalambur) refers to a pun.\r\nThe malware execution flow starts with the kalambur2021_v39.exe C#-based backdoor [14] and downloader. It is\r\ndesigned to download a repackaged TOR binary inside a ZIP file and retrieve additional tools from what is likely\r\nan attacker-controlled TOR onion site.\r\nAnalysis of the Loader and Embedded PowerShell Script\r\nDuring static and dynamic analysis of kalambur2021_v39.exe, analysts discovered a PowerShell script in the\r\nloader's resources section. Upon execution, the script performs a series of malicious actions:\r\n1. Tor-based Command-and-Control (C2)\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 9 of 24\n\nFigure 14 - PowerShell code using CURL.exe for the C2 activity over onion site.\r\nTerminates any pre-existing Tor service, installs its own Tor service, and reconfigures it to listen on\r\n127.0.0.1:9050 for SOCKS5 proxy. Similar attack pattern also observed by Mandiant and attributed to\r\nUNC4166 [9].\r\n2zilmiystfbjib2k4hvhpnv2uhni4ax5ce4xlpb7swkjimfnszxbkaid[.]onion\r\nUses curl.exe with the SOCKS5 tunnel to communicate with the .onion domain, sending and receiving\r\ncommands discreetly.\r\n2. Persistence via Scheduled Tasks\r\nFigure 15 - Kalambur references in the PowerShell Script and Scheduled Tasks creation function.\r\nCreates a scheduled task named WindowsUpdateCheck, pointing to rata.vbs, running every 60 minutes\r\nunder the SYSTEM account.\r\nThis ensures the malicious script runs repeatedly, even after reboots, maintaining persistence.\r\n3. System Information Gathering and Exfiltration\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 10 of 24\n\nRetrieves the machine’s public IP (using ident.me) and fetches the UUID from\r\nWin32_ComputerSystemProduct.\r\nSaves this data locally (e.g., ip0, uuid0, cn0) and then exfiltrates it to the attacker’s hidden service.\r\n4. Downloads TOR Browser for C2 activity\r\nFigure 16 - Downloading TOR browser from remote host inside the ZIP folder.\r\nDownloads a ZIP file (commonly called WindowsUpdate.zip) from kalambur[.]net, extracts it, and runs the\r\nincluded executable (searchindex.exe).\r\nFetches hid.dll [15] from the same domain, placing it in CommonProgramFiles\\Microsoft Shared\\ink\\,\r\nused for DLL Injection and TOR Browser installation.\r\n5. OpenSSH Deployment\r\nFigure 17 - Installation of OpenSSH and SSH backdoor creation.\r\nThe script downloads and silently installs Win32-OpenSSH, opening TCP port 22 in the firewall.\r\nThis creates an additional remote-control channel for the attackers, beyond the RDP backdoor.\r\n6. RDP Backdoor Setup\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 11 of 24\n\nFigure 18 - Creation of new user for RDP Backdoor.\r\nModifies registry and firewall settings to enable Remote Desktop Protocol (RDP) on port 3389, reduces\r\nRDP security layers, and allows inbound connections.\r\nCreates or reactivates a hidden administrator user (e.g., Admin or WGUtilityOperator) with a predefined\r\npassword (1qaz@WSX). The user account is hidden in Windows logon settings via registry edits.\r\n7. Cleanup of Traces\r\nDeletes leftover installers and temporary scripts, such as the MSI file for OpenSSH, the downloaded ZIP\r\narchive, and helper .vbs files, minimizing evidence on disk.\r\nConclusion:  From Pirated Software to the Compromise of Critical Infrastructure\r\nin Ukraine  \r\nEclecticIQ assesses with medium confidence that Sandworm (APT44) is distributing trojanized pirated software\r\nthrough Ukrainian-speaking forums, warez sites, and other illicit software-sharing platforms. This assessment is\r\nbased on multiple sources indicating such activity [9], but with some gaps in data related to new campaigns that\r\nprevent a higher confidence level. Given Ukraine's high piracy rates and economic constraints [16], these channels\r\nlikely serve as weak points for initial infection vectors. According to a 2018 Business Software Alliance (BSA)\r\nreport [17], Ukraine had a software piracy rate of approximately 80%, making it one of the highest in Europe.\r\nBy embedding malware within pirated Windows activators, fake updates, and software cracks, Sandworm has\r\nvery likely gained access to home users, businesses, and potentially government networks. CERT-UA's findings\r\nsuggest this method has already been exploited in at least one confirmed incident [18].\r\nOn April 3, 2023, CERT-UA reported [19] that a Ukrainian utility company employee installed a pirated version of\r\nMicrosoft Office, unknowingly executing malicious DarkCrystal RAT and DWAgent Remote Monitoring and\r\nManagement (RMM) software. This gave attackers unauthorized access to the company’s information and\r\ncommunication system (ICS) devices, posing a direct threat to operational technology (OT). Although no major\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 12 of 24\n\ndisruptions were publicly reported, the incident underscores the risk associated with trojanized software in critical\r\ninfrastructure environments.\r\nBy leveraging trojanized software to infiltrate ICS environments, Sandworm (APT44) continues to demonstrate its\r\nstrategic objective of destabilizing Ukraine's critical infrastructure in support of Russian geopolitical ambitions.\r\nThis tactic aligns with Moscow’s broader hybrid warfare strategy, where cyber operations complement kinetic and\r\neconomic pressure to undermine Ukrainian sovereignty.\r\nSIGMA Rules\r\ntitle: Kalambur Backdoor TOR/SOCKS5 Detection\r\nid: E99375EB-3EE0-407A-9F90-79569CC6A01C\r\ndate: 2025-02-02\r\nstatus: test\r\nauthor: Arda Buyukkaya (EclecticIQ)\r\ndescription: \u003e\r\n  Detects executions of curl.exe where the command-line arguments include a SOCKS5 proxy\r\n  indicator (\"socks5h://127.0.0.1:9050\") or a reference to an onion domain. In addition to\r\n  checking the arguments, the rule confirms that the process is indeed curl.exe by verifying\r\n  that either the process name or one of the description fields indicates the use of curl.\r\nreferences:\r\n  - https://www.eclecticiq.com\r\ntags:\r\n  - attack.t1090\r\n  - attack.t1573\r\n  - attack.t1071.001\r\n  - attack.t1059.001\r\n  - attack.t1059.003\r\n  - attack.s0183\r\nlogsource:\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 13 of 24\n\ncategory: process_creation\r\n  product: windows\r\ndetection:\r\n  selection:\r\n    Image|endswith: '\\\\curl.exe'\r\n    CommandLine|contains:\r\n      - 'socks5h://127.0.0.1:9050'\r\n      - '.onion/'\r\n    Description|contains: 'The curl executable'\r\n    Product|contains: 'The curl executable'\r\n    Company|contains: 'curl, https://curl.se/'\r\n  condition: selection\r\nfalsepositives:\r\n  - Legitimate use of curl with SOCKS5 proxies or TOR\r\nlevel: high\r\ntitle: \"Suspicious Windows Defender Exclusion in BACKORDER Loader\"\r\nid: \"76FEE02A-AB0E-49A6-8972-C2FC7ECBD51E\"\r\ndate: \"2025-02-02\"\r\nstatus: test\r\nauthor: Arda Buyukkaya (EclecticIQ)\r\ndescription: \u003e\r\n  This Sigma rule detects process creation events that may indicate malicious activity\r\n  associated with the BACKORDER Loader Deliverers Dark Crystal RAT (DcRAT) campaign.\r\n  The loader disables Windows Defender and adds exclusion rules via multiple Living Off the Land Binaries\r\n(LOLBAS) to evade detection.\r\nreferences:\r\n  - https://www.eclecticiq.com\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 14 of 24\n\ntags:\r\n  - attack.t1546.003\r\n  - attack.s0075\r\n  - attack.t1562.001\r\n  - attack.t1059.001\r\n  - attack.t1053.005\r\nlogsource:\r\n  category: process_creation\r\n  product: windows\r\ndetection:\r\n  selection_wmic_add_exclusion:\r\n    Image|endswith: \"\\\\WMIC.exe\"\r\n    CommandLine|contains:\r\n      - '/NAMESPACE:\\\\root\\\\Microsoft\\\\Windows\\\\Defender'\r\n      - 'MSFT_MpPreference'\r\n      - 'Add ExclusionPath='\r\n  selection_wmic_networkadapter:\r\n    Image|endswith: \"\\\\WMIC.exe\"\r\n    CommandLine|contains:\r\n      - \"path Win32_NetworkAdapter\"\r\n  selection_reg_query_defender:\r\n    Image|endswith: \"\\\\reg.exe\"\r\n    CommandLine|contains:\r\n      - \"query\"\r\n      - \"Windows Defender\"\r\n      - \"DisableAntiSpyware\"\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 15 of 24\n\nselection_sc_query:\r\n    Image|endswith: \"\\\\sc.exe\"\r\n    CommandLine|contains:\r\n      - \"query WinDefend\"\r\n      - \"query SecurityHealthService\"\r\n  selection_powershell_add_mppreference:\r\n    Image|endswith: \"\\\\powershell.exe\"\r\n    CommandLine|contains:\r\n      - \"-Command\"\r\n      - \"Add-MpPreference\"\r\n      - \"ExclusionPath\"\r\n  condition: 1 of selection_*\r\nfalsepositives:\r\n  - \"Legitimate administrative actions to disable Windows Defender.\"\r\nlevel: \"high\"\r\nYARA Rule\r\nimport \"pe\"\r\nrule MAL_BACKORDER_LOADER_WIN_Go_Jan23 {\r\n   meta:\r\n      description = \"Detects the BACKORDER loader compiled in GO which download and executes a second\r\nstage payload from a remote server.\"\r\n      author = \"Arda Buyukkaya\"\r\n      date = \"2025-01-23\"\r\n      reference = \"EclecticIQ\"\r\n      tags = \"loader, golang, BACKORDER, malware, windows\"\r\n      hash = \"70c91ffdc866920a634b31bf4a070fb3c3f947fc9de22b783d6f47a097fec2d8\"\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 16 of 24\n\nstrings:\r\n      $x_GoBuildId = /Go build ID: \\\"[a-zA-Z0-9\\/_-]{40,120}\\\"/ ascii wide\r\n      $s_DefenderExclusion = \"powershell Add-MpPreference -ExclusionPath\"\r\n      // Debug symbols commonly seen in BACKORDER loader\r\n      $s_DebugSymbol_1 = \"C:/updatescheck/main.go\"\r\n      $s_DebugSymbol_2 = \"C:/Users/IEUser/Desktop/Majestic/14.11/New_droper.go\"\r\n      $s_DebugSymbol_3 = \"C:/Users/IEUser/Desktop/Majestic/14.11/Droper.go\"\r\n      // Function name patterns observed in BACKORDER loader\r\n      $s_FunctionNamePattern_1 = \"main.getUpdates.func\"\r\n      $s_FunctionNamePattern_2 = \"main.obt_zip\"\r\n      $s_FunctionNamePattern_3 = \"main.obtener_zip\"\r\n      $s_FunctionNamePattern_4 = \"main.get_zip\"\r\n      $s_FunctionNamePattern_5 = \"main.show_pr0gressbar\"\r\n      $s_FunctionNamePattern_6 = \"main.pr0cess\"\r\n   condition:\r\n      pe.is_pe\r\n      and\r\n      filesize \u003c 10MB\r\n      and\r\n      $x_GoBuildId\r\n      and\r\n      (\r\n         $s_DefenderExclusion\r\n         or\r\n         1 of ($s_DebugSymbol_*)\r\n         or\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 17 of 24\n\n2 of ($s_FunctionNamePattern_*)\r\n      )\r\n}\r\nIOCs\r\nKMS Lure Uploaded to Torrent:\r\nbtdig[.]com/172d3750e3617526563dd0b24c4ba88f907622b9\r\nFake Microsoft Activation Program – SHA 256 Hash:\r\nafc6131b17138a6132685617aa60293a40f2462dc3a810a4cf745977498e0255\r\ned5735449a245355706fc58f4b744251f6e499833f02a972f9bd448c28467194\r\nfdc3f0516e1558cc4c9105ac23716f39a6708b8facada3a48609073a16a63c83\r\n BACKORDER loader - SHA 256 Hash:\r\n48450c0a00b9d1ecce930eadbac27c3c80db73360bc099d3098c08567a59cdd3\r\n22c79153e0519f13b575f4bfc65a5280ff93e054099f9356a842ce3266e40c3d\r\na42de97a466868efbfc4aa1ef08bfdb3cc5916d1accd59cfffff1a896d569412\r\n8cfa4f10944fc575420533b6b9bbcabbf3ae57fe60c6622883439dbb1aa60369\r\n8a4df53283a363c4dd67e2bda7a430af2766a59f8a2faf341da98987fe8d7cbd\r\n70c91ffdc866920a634b31bf4a070fb3c3f947fc9de22b783d6f47a097fec2d8\r\n0e58d38fd2df86eeb4a556030a0996c04bd63e09e669b34d3bbc10558edf31a6\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 18 of 24\n\n5bff08a6aa7a7541c0b7b1660fd944cec55fa82df6285166f4da7a48b81f776e\r\n4b9e32327067a84d356acb8494dc05851dbf06ade961789a982a5505b9e061e3\r\nDark Crystal RAT (DcRAT) - SHA 256 Hash:\r\n039c8dd066efa3dd7ac653689bfa07b2089ce4d8473c907547231c6dd2b136ec\r\n0e58d38fd2df86eeb4a556030a0996c04bd63e09e669b34d3bbc10558edf31a6\r\n1a1ffcbab9bff4a033a26e8b9a08039955ac14ac5ce1f8fb22ff481109d781a7\r\n2de08a0924e3091b51b4451c694570c11969fb694a493e7f4d89290ae5600c2c\r\n4b0038de82868c7196969e91a4f7e94d0fa2b5efa7a905463afc01bfca4b8221\r\n7c0da4e314a550a66182f13832309f7732f93be4a31d97faa6b9a0b311b463ff\r\na00beaa5228a153810b65151785596bebe2f09f77851c92989f620e37c60c935\r\nb45712acbadcd17cb35b8f8540ecc468b73cac9e31b91c8d6a84af90f10f29f8\r\ncd7c36a2f4797b9ca6e87ab44cb6c8b4da496cff29ed5bf727f0699917bae69a\r\n4b2e4466d1becfa40a3c65de41e5b4d2aa23324e321f727f3ba20943fd6de9e5\r\n553f7f32c40626cbddd6435994aff8fc46862ef2ed8f705f2ad92f76e8a3af12\r\nd774b1d0f5bdb26e68e63dc93ba81a1cdf076524e29b4260b67542c06fbfe55c\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 19 of 24\n\n70cad07a082780caa130290fcbb1fd049d207777b587db6a5ee9ecf15659419f\r\nc5853083d4788a967548bee6cc81d998b0d709a240090cfed4ab530ece8b436e\r\nKalambur Backdoor – SHA 256 Hash:\r\naadd85e88c0ebb0a3af63d241648c0670599c3365ff7e5620eb8d06902fdde83\r\n7d92b10859cd9897d59247eb2ca6fb8ec52d8ce23a43ef99ff9d9de4605ca12b\r\nd13f0641fd98df4edcf839f0d498b6b6b29fbb8f0134a6dae3d9eb577d771589\r\ndd7a9d8d8f550a8091c79f2fb6a7b558062e66af852a612a1885c3d122f2591b\r\n C2 Ipv4 Address:\r\n C2 Domains :\r\nActivationsmicrosoft[.]com\r\nkmsupdate2023[.]com\r\nkms-win11-update[.]net\r\nWindowsupdatesystem[.]org\r\nratiborus2023[.]com\r\nOnedrivestandaloneupdater[.]com\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 20 of 24\n\nKalambur[.]net\r\nWindowsdrivepack[.]com\r\nakamaitechcdns.com\r\nMITRE TTPs\r\nT1204.002 – User Execution: Malicious File\r\nT1059.001 – Command and Scripting Interpreter: PowerShell\r\nT1218.011 – Signed Binary Proxy Execution: Rundll32\r\nT1569.002 – System Services: Service Execution\r\nT1053.005 – Scheduled Task/Job: Scheduled Task\r\nT1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control\r\nT1562.001 – Impair Defenses: Disable or Modify Tools\r\nT1218 – Signed Binary Proxy Execution\r\nT1070.004 – Indicator Removal on Host: File Deletion\r\nT1555.003 – Credentials from Web Browsers\r\nT1056.001 – Input Capture: Keylogging\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 21 of 24\n\nT1082 – System Information Discovery\r\nT1021.001 – Remote Services: Remote Desktop Protocol (RDP)\r\nT1021.004 – Remote Services: SSH\r\nT1113 – Screen Capture\r\nT1005 – Data from Local System\r\nT1090.003 – Proxy: Multi-hop Proxy\r\nT1071.001 – Application Layer Protocol: Web Protocol\r\nT1105 – Ingress Tool Transfer\r\nT1041 – Exfiltration Over C2 Channel\r\nReferences\r\n[1]           “Sandworm Team, ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, Voodoo\r\nBear, IRIDIUM, Seashell Blizzard, FROZENBARENTS, APT44, Group G0034 | MITRE ATT\u0026CK®.” Accessed:\r\nJan. 21, 2025. [Online]. Available: https://attack.mitre.org/groups/G0034/\r\n[2]           “2024-04-17-Mandiant-APT44-Unearthing-Sandworm.pdf.” Accessed: Jan. 21, 2025. [Online].\r\nAvailable: https://nsarchive.gwu.edu/sites/default/files/documents/semon9-ryglx/2024-04-17-Mandiant-APT44-\r\nUnearthing-Sandworm.pdf\r\n[3]           “Analyzing Dark Crystal RAT, a C# Backdoor,” Google Cloud Blog. Accessed: Jan. 21, 2025. [Online].\r\nAvailable: https://cloud.google.com/blog/topics/threat-intelligence/analyzing-dark-crystal-rat-backdoor\r\n[4]           “CERT-UA,” cert.gov.ua. Accessed: Jan. 21, 2025. [Online]. Available:\r\nhttps://cert.gov.ua/article/4279195\r\n[5]           O. Removska and R. Coalson, “Ukraine’s Trade Privileges On Line Over Intellectual-Piracy Concerns,”\r\nRadio Free Europe/Radio Liberty, 00:48:24Z. Accessed: Feb. 06, 2025. [Online]. Available:\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 22 of 24\n\nhttps://www.rferl.org/a/ukraine-sanctions-intellectual-property/24928537.html\r\n[6]           “VirusTotal - File - ed5735449a245355706fc58f4b744251f6e499833f02a972f9bd448c28467194.”\r\nAccessed: Jan. 21, 2025. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/ed5735449a245355706fc58f4b744251f6e499833f02a972f9bd\r\n448c28467194\r\n[7]           “KMSAuto++x64_v1.8.4 torrent.” Accessed: Jan. 21, 2025. [Online]. Available:\r\nhttps://btdig.com/172d3750e3617526563dd0b24c4ba88f907622b9\r\n[8]           Xelu86, “Key Management Services (KMS) client activation and product keys for Windows Server and\r\nWindows.” Accessed: Jan. 21, 2025. [Online]. Available: https://learn.microsoft.com/en-us/windows-server/get-started/kms-client-activation-keys\r\n[9]           “Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government | Mandiant,”\r\nGoogle Cloud Blog. Accessed: Jan. 19, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/trojanized-windows-installers-ukrainian-government\r\n[10]        S. I. Gutierrez James Slaughter, and Fred, “Ukraine Targeted by Dark Crystal RAT (DCRat) | FortiGuard\r\nLabs,” Fortinet Blog. Accessed: Jan. 19, 2025. [Online]. Available: https://www.fortinet.com/blog/threat-research/ukraine-targeted-by-dark-crystal-rat\r\n[11]        “VirusTotal - URL.” Accessed: Jan. 21, 2025. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/b9be4a6271c4660bb9a45985c85975330ab98454d0581de979\r\n738e3d3e71d03a/details\r\n[12]        “VirusTotal - File - afc6131b17138a6132685617aa60293a40f2462dc3a810a4cf745977498e0255.”\r\nAccessed: Jan. 21, 2025. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/afc6131b17138a6132685617aa60293a40f2462dc3a810a4cf74597\r\n7498e0255/telemetry\r\n[13]        “VirusTotal - File - a42de97a466868efbfc4aa1ef08bfdb3cc5916d1accd59cfffff1a896d569412.”\r\nAccessed: Jan. 21, 2025. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/a42de97a466868efbfc4aa1ef08bfdb3cc5916d1accd59cfffff1a89\r\n6d569412/details\r\n[14]        “VirusTotal - File - aadd85e88c0ebb0a3af63d241648c0670599c3365ff7e5620eb8d06902fdde83.”\r\nAccessed: Jan. 21, 2025. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/aadd85e88c0ebb0a3af63d241648c0670599c3365ff7e5620eb\r\n8d06902fdde83\r\n[15]        “VirusTotal - File - b545c5ee0498637737d4edff4b0cc672fe097a1ecfba1a08bb4d07e8affe79d3.”\r\nAccessed: Jan. 21, 2025. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/b545c5ee0498637737d4edff4b0cc672fe097a1ecfba1a08bb4d\r\n07e8affe79d3/details\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 23 of 24\n\n[16]        “1924a044-b30f-48a2-99c1-50edeac14da1_en.pdf.” Accessed: Feb. 07, 2025. [Online]. Available:\r\nhttps://enlargement.ec.europa.eu/document/download/1924a044-b30f-48a2-99c1-50edeac14da1_en?\r\nfilename=Ukraine%20Report%202024.pdf\r\n[17]        “2018_BSA_GSS_Report_en.pdf.” Accessed: Feb. 07, 2025. [Online]. Available: https://gss.bsa.org/wp-content/uploads/2018/05/2018_BSA_GSS_Report_en.pdf\r\n[18]        “CERT-UA,” cert.gov.ua. Accessed: Feb. 07, 2025. [Online]. Available:\r\nhttps://cert.gov.ua/article/4279195\r\n[19]        M. B. April 4 and 2023, “Pirated Software Compromised Ukrainian Utility Company.” Accessed: Feb.\r\n07, 2025. [Online]. Available: https://www.bankinfosecurity.com/pirated-software-compromised-ukrainian-utility-company-a-21618\r\nSource: https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-c\r\nampaigns\r\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns" ], "report_names": [ "sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434733, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/630170c4c2f48b028bc15c5555abed7444c02eee.pdf", "text": "https://archive.orkl.eu/630170c4c2f48b028bc15c5555abed7444c02eee.txt", "img": "https://archive.orkl.eu/630170c4c2f48b028bc15c5555abed7444c02eee.jpg" } }