Windows KMS activator used by russian hackers to steal Ukrainians personal data

russian hacking group Sandworm attacks Ukrainian Windows users using Trojans in KMS activators and fake updates.

EclecticIQ researchers have discovered cyberattacks that began in late 2023, which are associated with the Sandworm (APT44) group. Hackers use the BACKORDER downloader to distribute the DarkCrystal RAT (DcRAT) malware, and also register attack domains via ProtonMail.

Sandworm deploys Trojans via fake Windows KMS activators. Once installed, they disable Windows Defender, record keystrokes, steal cookies, passwords, and system information, and then transfer them to attackers’ servers.

Hackers are taking advantage of the prevalence of pirated software in Ukraine, including government institutions, to massively infect devices. EclecticIQ warns that Sandworm attacks pose a serious threat to national security and critical infrastructure.

In the first half of 2024, russian hacker groups shifted the focus of their cyberattacks to targets related to military operations and service providers. This is stated in the analytical report “russian Cyber ​​Operations” for the first half of 2024, prepared by specialists of the State Service for Communications.

According to the report, if earlier Russian hackers focused on one-time attacks, now their strategy is aimed at entrenching in systems, covertly obtaining information and using cyber means to collect data on the results of their physical strikes.

The State Service for Communications notes that the IT sector demonstrates a high ability to quickly recover from cyberattacks and even strengthens after each incident. The report also analyzes new trends in Russian hacker tactics, identifies new threats, and provides lessons learned by Ukrainian cyber security experts from this experience.