Russian military hackers deploy malicious Windows activators in Ukraine www.bleepingcomputer.com/news/secu…

The Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.

These attacks likely started in late 2023 and have now been linked by EclecticIQ threat analysts with Sandworm hackers based on overlapping infrastructure, consistent Tactics, Techniques and Procedures (TTPs), and frequently used ProtonMail accounts to register domains used in the attacks.

The attackers also used a BACKORDER loader to deploy DarkCrystal RAT (DcRAT) malware (used in previous Sandworm attacks) and debug symbols referencing a Russian-language build environment, further reinforcing the researchers' confidence that Russian military hackers were involved.