{
	"id": "b6960cd2-c738-4efe-a779-95b9f236db35",
	"created_at": "2026-04-06T00:12:53.998646Z",
	"updated_at": "2026-04-10T03:37:08.645303Z",
	"deleted_at": null,
	"sha1_hash": "ae416540f6bc8a09dae9656b297141580b9f515b",
	"title": "Sandworm APT Exploits Trojanized KMS Tools to Target Ukrainian Users in Cyber Espionage Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 114443,
	"plain_text": "Sandworm APT Exploits Trojanized KMS Tools to Target\r\nUkrainian Users in Cyber Espionage Campaign\r\nBy Ddos\r\nPublished: 2025-02-12 · Archived: 2026-04-05 20:06:33 UTC\r\nExecution of Trojanized KMS Auto Tool | Source: EclecticIQ\r\nThe notorious Sandworm APT (APT44), a Russian-state-sponsored threat actor affiliated with the GRU (Russia’s\r\nMain Intelligence Directorate), has been observed actively targeting Ukrainian Windows users through trojanized\r\nMicrosoft Key Management Service (KMS) activators. According to a recent EclecticIQ report, this campaign has\r\nbeen ongoing since late 2023, leveraging pirated software to deliver a new version of BACKORDER, a loader that\r\nultimately deploys Dark Crystal RAT (DcRAT), facilitating cyber espionage and data exfiltration.\r\nThe threat actors are disguising malware within a fake KMS activation tool, KMSAuto++x64_v1.8.4.zip,\r\nuploaded to torrent sites to target users attempting to bypass Windows licensing. EclecticIQ analysts noted:\r\n“Ukraine’s heavy reliance on cracked software, including in government institutions, creates a major attack\r\nsurface.”\r\nMicrosoft has estimated that 70% of software in Ukraine’s state sector was unlicensed, providing adversaries like\r\nSandworm an opportunity to distribute trojanized software widely.\r\nhttps://securityonline.info/sandworm-apt-exploits-trojanized-kms-tools-to-target-ukrainian-users-in-cyber-espionage-campaign/\r\nPage 1 of 3\n\nHow the Attack Works\r\nStep 1: Execution of Trojanized KMS Activator\r\nUpon execution, the fake KMS activation tool displays a Windows activation interface, while in the background,\r\nthe BACKORDER loader initializes, executing malicious operations without raising red flags.\r\nStep 2: Disabling Windows Defender\r\nThe BACKORDER loader executes the following PowerShell command:\r\npowershell.exe -Command Add-MpPreference –ExclusionPath \u003cFolder-Path\u003e\r\nThis adds an exclusion rule to bypass security detections, paving the way for malware installation.\r\nStep 3: Deployment of Dark Crystal RAT (DcRAT)\r\nThe malware decodes a Base64-encoded domain string stored in its Portable Executable (PE) file and downloads\r\nDcRAT from kmsupdate2023[.]com/kms2023.zip. The RAT is then stored and executed from:\r\n\\AppData\\Roaming\\kms2023\\kms2023.exe\r\n\\AppData\\Local\\staticfile.exe\r\nStep 4: Establishing Persistent Access\r\nTo ensure longevity on the infected system, DcRAT creates multiple scheduled tasks using Windows’ built-in\r\nbinary schtasks.exe. This enables persistence across reboots.\r\nOnce executed, DcRAT exfiltrates sensitive data, including:\r\nScreenshots of the device\r\nKeystrokes recorded from the victim\r\nBrowser cookies, history, and saved credentials\r\nStored FTP credentials\r\nSystem information (hostname, installed applications, language settings, etc.)\r\nSaved credit card details\r\nAccording to EclecticIQ, “DcRAT kms2023.exe establishes a remote connection to the command-and-control\r\nserver onedrivepack[.]com/pipe_RequestPollUpdateProcessAuthwordpress.php, that is very likely operated by the\r\nthreat actor.”\r\nMultiple pieces of evidence link this campaign to Sandworm (APT44), including:\r\n1. Use of ProtonMail WHOIS records\r\n2. Overlapping C2 infrastructure\r\n3. Reuse of BACKORDER and DcRAT malware\r\n4. Russian-language debug symbols in malware samples\r\nhttps://securityonline.info/sandworm-apt-exploits-trojanized-kms-tools-to-target-ukrainian-users-in-cyber-espionage-campaign/\r\nPage 2 of 3\n\nOrganizations and individuals must exercise extreme caution when downloading software from untrusted sources\r\nand should implement security best practices.\r\nRelated Posts:\r\nMandiant Unveils Russian Cyber Espionage in Ukraine’s Grid Disruption\r\nSandworm Targets Ukraine’s Critical Infrastructure with New Attack Wave\r\nSupport Our Threat Intelligence\r\nIf you find our CVE report and cybersecurity news helpful, consider supporting our work.\r\nPost navigation\r\nSource: https://securityonline.info/sandworm-apt-exploits-trojanized-kms-tools-to-target-ukrainian-users-in-cyber-espionage-campaign/\r\nhttps://securityonline.info/sandworm-apt-exploits-trojanized-kms-tools-to-target-ukrainian-users-in-cyber-espionage-campaign/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securityonline.info/sandworm-apt-exploits-trojanized-kms-tools-to-target-ukrainian-users-in-cyber-espionage-campaign/"
	],
	"report_names": [
		"sandworm-apt-exploits-trojanized-kms-tools-to-target-ukrainian-users-in-cyber-espionage-campaign"
	],
	"threat_actors": [
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434373,
	"ts_updated_at": 1775792228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ae416540f6bc8a09dae9656b297141580b9f515b.pdf",
		"text": "https://archive.orkl.eu/ae416540f6bc8a09dae9656b297141580b9f515b.txt",
		"img": "https://archive.orkl.eu/ae416540f6bc8a09dae9656b297141580b9f515b.jpg"
	}
}