Trojanized Microsoft activators leveraged in new Sandworm attacks

BleepingComputer reports that attacks involving malicious Microsoft Key Management Service activators and bogus Windows updates have been deployed by Russian state-sponsored threat group Sandworm against Ukrainian Windows users since late 2023.

Sandworm, also known as APT44, Seashell Blizzard, and UAC-0113, launched numerous malware intrusions as part of the campaign, the most recent of which involved the distribution of a fake KMS activation tool containing the BACKORDER malware loader that facilitated DarkCrystal RAT delivery following Windows Defender deactivation, according to an EclecticIQ analysis. DcRAT was noted to enable the exfiltration of targeted devices' saved credentials, browser cookies and histories, keystrokes, FTP credentials, and system details. "Many users, including businesses and critical entities, have turned to pirated software from untrusted sources, giving adversaries like Sandworm (APT44) a prime opportunity to embed malware in widely used programs. This tactic enables large-scale espionage, data theft, and network compromise, directly threatening Ukraine's national security, critical infrastructure, and private sector resilience," said EclecticIQ.