Russian-backed hackers, specifically the Sandworm APT group (also known as APT44 or UAC-0145), have been using weaponized Microsoft Key Management Service (KMS) activators to infiltrate Windows systems in Ukraine. This campaign, which has been active since late 2023, exploits pirated KMS tools and fake Windows updates to distribute malware, further destabilizing Ukraine’s critical infrastructure. As these tactics continue to refine and spread, it is crucial for organizations to stay informed and utilize advanced threat detection tools to protect against such sophisticated attacks. Attackers are using Trojanized KMS activators, such as “KMSAuto++x64_v1.8.4.zip,” disguised as legitimate activation tools to target users bypassing Windows licensing. To combat these threats, security teams can utilize Sigma rules and detection tools compatible with multiple security analytics solutions. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The process begins with deploying BACKORDER, a loader that disables Windows Defender and leverages Living Off the Land Binaries (LOLBINs) to evade detection. BACKORDER then delivers the final payload, DarkCrystal RAT (DcRAT), which connects to a Command and Control (C2) server to exfiltrate sensitive data while maintaining persistence via scheduled tasks and elevated processes. While security experts at SOC Prime detected that this group is known for refining its tactics in Ukraine before deploying them globally. The Sandworm group, affiliated with Russia’s Main Intelligence Directorate (GRU), has been targeting Ukrainian organizations for over a decade. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. These tools are mapped to the MITRE ATT\&CK framework and provide extensive metadata for threat intelligence and triage recommendations. Kalambur downloads a repackaged TOR binary and other attacker-controlled tools, further expanding the threat landscape. A new family of malware has been discovered that leverages Microsoft Outlook as a communication channel via the Microsoft Graph API.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 13 Feb 2025 10:50:17 +0000