Summary: The Sandworm APT (APT44), a Russian state-sponsored group, is targeting Ukrainian users with a trojanized KMS activator that deploys the Dark Crystal RAT (DcRAT). This ongoing campaign exploits the prevalence of unlicensed software in Ukraine, particularly in government agencies, making it easier for the threat actors to infiltrate systems. EclecticIQ reports highlight the methods used to disable security measures and establish persistent access for data exfiltration.
Affected: Ukrainian governmental institutions and users of unlicensed software
Keypoints :
- Sandworm APT is utilizing a fake KMS activator to deliver BACKORDER and install DcRAT.
- The malware is capable of exfiltrating sensitive data, including keystrokes, browser information, and system details.
- Security measures such as Windows Defender are being bypassed through the use of malicious PowerShell commands.