Sandworm APT Attacks Detection: russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine
 
                                            Table of contents:
For over a decade, russia-backed Sandworm APT group (also tracked as UAC-0145, APT44) has consistently targeted Ukrainian organizations, with a primary focus on state bodies and critical infrastructure. Since the full-scale invasion, this GRU-affiliated military cyber-espionage group has intensified its attacks against Ukrainian targets. The latest malicious campaign, analyzed in February 2025, appears to have been active since 2023. The operation leverages trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates to infiltrate Ukrainian systems.
Detect Attacks by Sandworm Hackers
The growing wave of cyber-espionage campaigns against Ukraine and its allies remains a key factor in the evolving cyber threat landscape. russia-backed hackers often use Ukraine as a testing ground, refining their tactics before deploying them on a global scale. A recently uncovered large-scale operation highlights this escalating threat, exploiting trojanized Windows KMS tools and fake updates to infiltrate Ukrainian systems.
To help security teams stay on top of potential intrusions, SOC Prime Platform for collective cyber defense offers a set of Sigma rules addressing Sandworm TTPs. The detection stack is accompanied by a complete product suite for automated threat hunting, AI-powered detection engineering, and intelligence-driven threat detection. Just press the Explore Detections button below and immediately drill down to a dedicated rule stack helping to detect latest Sandworm attacks
The detections are compatible with multiple security analytics solutions and mapped to MITRE ATT&CK®. Additionally, each rule is enriched with extensive metadata, including threat intel references, attack timelines, triage recommendations, and more.
Security professionals seeking more relevant content to analyze Sandworm APT attacks retrospectively might review the broader set of rules by searching Threat Detection Marketplace with “Sandworm” and “UAC-0145” tag.
To accelerate threat investigation, cyber defenders can also hunt for IOCs provided in the EclecticIQ analysis of the Sandworm campaign. Leverage Uncoder AI to seamlessly parse IOCs and convert them to custom queries ready to run in a chosen SIEM or EDR environment. Previously available only to corporate clients, Uncoder AI is now accessible to individual researchers, offering its full capabilities. Check out the details here.

Sandworm (APT44) Attack Analysis: Ongoing Campaign Using Trojanized KMS Activation Tools
EclecticIQ researchers notify defenders of an ongoing cyber-espionage campaign by the nefarious Sandworm (APT44) group linked to russia’s Main Intelligence Directorate (GRU) is actively targeting Ukrainian Windows users. The campaign targeting Ukrainian Windows has likely been active since late 2023, after russia’s invasion of Ukraine. In these attacks, Sandworm exploits pirated Microsoft Key Management Service (KMS) activators and fraudulent Windows updates to distribute an updated version of BACKORDER, a loader previously tied to the group. BACKORDER then deploys Dark Crystal RAT (DcRAT), allowing attackers to steal sensitive data and carry out cyber espionage.
The infection chain starts with a Trojanized ZIP file, “KMSAuto++x64_v1.8.4.zip,” on Torrent disguised as a KMS activation tool to target users bypassing Windows licensing. Sandworm was previously observed using similar tactics against Ukraine with a trojanized Windows 10 installer. Since then, analysts have identified seven related adversary campaigns using similar lures and TTPs.
At the turn of 2025, the latest campaign used a typosquatted domain to deploy DcRAT remote access Trojan. DarkCrystal RAT was previously linked to Sandworm’s toolkit and also employed by other hacking collectives targeting Ukraine. For instance, in the summer of 2022, CERT-UA uncovered a large-scale phishing campaign by russia-backed adversaries delivering DarkCrystal RAT and moderately linked to the UAC-0113 group (aka Sandworm). In 2023, CERT-UA revealed another offensive operation aimed at the DarkCrystal RAT distribution. The infection stemmed from an unlicensed Microsoft Office 2019 installation, with UAC-0145 known as another group identifier, linked to that campaign.
The fake KMS tool mimics a Windows activation interface, while BACKORDER, a GO-based loader, runs in the background, disabling Windows Defender and using Living Off the Land Binaries (LOLBINs) to evade detection. It prepares the system for the final RAT payload, which connects to a C2 server to exfiltrate sensitive data. DarkCrystal RAT maintains persistence by creating scheduled tasks via schtasks.exe and launching staticfile.exe with elevated privileges to ensure continued access after reboots or logoffs.
Notably, in the late fall of 2024, another trojanized KMS activator was uploaded to VirusTotal from Ukraine, consistent with previous BACKORDER campaigns. Compiled as a 64-bit Python 3.13 app via PyInstaller, it contained russian-language debug paths, suggesting russian origins. The fake activator downloads a second-stage payload and executes Python scripts to disable Windows security protection, deploy malicious samples, and establish persistence. With a moderate level of confidence, the malicious DLL file, Runtime Broker.dll, can be considered a novel BACKORDER loader iteration, written in GO and designed to fetch and run second-stage malware from a remote host.
During the investigation, defenders also uncovered a new backdoor, Kalambur, after a domain pivot. The threat actor used kalambur[.]net to deliver an RDP backdoor disguised as a Windows Update. Named after the russian word for “pun,” Kalambur starts with the C#-based kalambur2021_v39.exe, which downloads a repackaged TOR binary and additional tools from a likely attacker-controlled TOR site.
Defenders assume that Sandworm (APT44) is distributing trojanized pirated software through Ukrainian-speaking forums, warez sites, and illicit platforms targeting individual users, businesses, and potentially state bodies. On April 3, 2023, CERT-UA confirmed at least one incident where a Ukrainian utility employee unknowingly installed pirated Microsoft Office, triggering DarkCrystal RAT and DWAgent remote access utility, compromising ICS devices. Although no major disruptions occurred, the incident highlights the risks of trojanized software in critical infrastructure. Sandworm’s tactics align with russia’s hybrid warfare strategy to destabilize Ukraine’s critical infrastructure. To help Ukraine and its allies timely identify infections, SOC Prime Platform offers a complete product suite to stay ahead of russia-linked APT attacks and other emerging threats while ensuring proactive cyber defense at scale.
 
                                             
     
    