Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns
ID: bcf759c3-220d-5b8c-bcb8-634927f8ab6a
STIX ID: report--bcf759c3-220d-5b8c-bcb8-634927f8ab6a
Feed Name: EclecticIQ
EclecticIQ reports that Sandworm (APT44) is conducting an active cyber espionage campaign targeting Ukrainian Windows users by distributing trojanized KMS activators and fake updates that deploy the BACKORDER loader, which in turn delivers Dark Crystal RAT and a Kalambur RDP backdoor. The report provides malware analysis, debug-symbol and language evidence linking activity to Russian operators, multiple IOCs (domains, IPs, SHA256 hashes), MITRE TTP mappings, and Sigma/YARA detection content, warning of significant risk to Ukrainian users and potentially critical infrastructure.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.