Ukraine Targeted by Russian Hackers with Fake Windows Activators

In a sophisticated cyber-espionage operation, the Russian military hacking group Sandworm has been found deploying trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates to target Windows users in Ukraine. This campaign, which likely began in late 2023, aims to compromise Ukrainian systems through widespread malware distribution, taking advantage of the heavy reliance on pirated software.

Sandworm’s Cyber Tactics

The latest discovery was made by EclecticIQ threat analysts, who attributed the attacks to Sandworm based on several key indicators, including overlapping infrastructure, the consistent use of Tactics, Techniques, and Procedures (TTPs), and the frequent registration of attack-related domains using ProtonMail accounts.

EclecticIQ has identified at least seven malware distribution campaigns tied to this activity cluster, each leveraging similar attack methods. On January 12, 2025, researchers observed a new attack wave in which Sandworm hackers deployed the DarkCrystal Remote Access Trojan (DcRAT) using typo-squatted domains.

Once executed, these fake KMS activation tools display a counterfeit Windows activation interface while, in the background, executing a malware loader that disables Windows Defender and delivers the final RAT payload. This allows attackers to steal critical information from infected systems, posing a significant security risk to both individual users and organizations.

How the Attack Works

• The Sandworm hackers leverage a deceptive infection chain to trick users into running their malicious payloads:
• Initial Infection Vector: Victims unknowingly download a trojanized KMS activation tool, believing it to be a genuine Windows activation utility.
• Execution and Evasion: Upon execution, the malicious activator installs a malware loader that immediately disables Windows Defender to evade detection.
• Payload Deployment: The loader then downloads and installs DcRAT, a remote access Trojan known for its extensive data exfiltration capabilities.
• Data Theft: The malware silently collects sensitive information, including:
• Exfiltration: Stolen data is transmitted back to attacker-controlled servers, providing Sandworm operatives with critical intelligence on Ukrainian networks.

Why Ukraine is Being Targeted

The choice of Ukraine as a target is consistent with Sandworm’s long history of cyber warfare against the country. The hackers, also tracked as APT44 and UAC-0113, operate as part of the Russian Military Unit 74455 under the Main Intelligence Directorate (GRU). Their primary mission involves executing disruptive and destructive cyber operations, particularly against Ukraine’s government institutions, critical infrastructure, and private sector.

The use of malicious Windows activators is a particularly effective tactic because of the widespread use of pirated software in Ukraine. Many businesses and even government entities turn to unauthorized versions of Windows due to cost constraints or availability issues. This creates an enormous attack surface that adversaries can exploit with minimal effort.

According to EclecticIQ, this campaign aligns with Russia’s broader cyber warfare objectives:

“Many users, including businesses and critical entities, have turned to pirated software from untrusted sources, giving adversaries like Sandworm a prime opportunity to embed malware in widely used programs. This tactic enables large-scale espionage, data theft, and network compromise, directly threatening Ukraine’s national security, critical infrastructure, and private sector resilience.”

Past Sandworm Cyber Attacks

• Sandworm has been an active and highly sophisticated hacking group for over a decade. Some of their most notorious attacks include:
• BlackEnergy Attacks (2015-2016): Disrupted Ukraine’s power grid, causing blackouts affecting hundreds of thousands of people.
• NotPetya (2017): Deployed a destructive wiper disguised as ransomware, causing billions of dollars in damages worldwide.
• Olympic Destroyer (2018): Targeted the Winter Olympics in South Korea with a malware campaign aimed at disrupting the games.
• Cyclops Blink (2022): A botnet used for cyber-espionage and persistent access to compromised networks.
• Multiple Wiper Attacks (2022-Present): Including WhisperGate, CaddyWiper, and HermeticWiper, designed to destroy data on Ukrainian systems.

Mitigation Strategies and Security Recommendations

Organizations and individuals in Ukraine—and elsewhere—should take immediate action to protect their systems from this emerging threat. Recommended security measures include:

1. Avoid Pirated Software

Never use unlicensed versions of Windows or any other software.

Download software only from official vendor websites or trusted sources.

Encourage organizations to implement strict software procurement policies.

2. Deploy Strong Endpoint Security

Use reputable antivirus and endpoint detection and response (EDR) solutions.

Regularly update antivirus definitions to detect new malware strains.

Enable automatic updates for Windows and other software to patch vulnerabilities promptly.

3. Enable Windows Defender and Other Security Features

Ensure Windows Defender is active and configured to detect threats effectively.

Use Microsoft’s SmartScreen filter to block malicious downloads and phishing attempts.

4. Monitor for Signs of Compromise

Regularly check system logs for suspicious activity.

Use behavioral monitoring tools to detect unusual system behavior.

Employ Security Information and Event Management (SIEM) solutions to track anomalies.

5. Implement Strong Access Controls

Enforce multi-factor authentication (MFA) for all user accounts.

Use unique, complex passwords and store them in a password manager.

Restrict administrative privileges to only those who absolutely need them.

6. Educate Users on Cyber Threats

Conduct regular cybersecurity awareness training for employees.

Warn users about the dangers of downloading cracked software.

Encourage skepticism of unexpected pop-ups or prompts requiring administrative access.

Broader Implications of the Attack

The use of trojanized activators and fake updates by Sandworm is just one aspect of Russia’s broader cyber warfare strategy. These tactics highlight the following key concerns:

Weaponization of Software Piracy – Attackers are leveraging a widespread issue—software piracy—to introduce malware into high-value targets with ease.

Long-Term Persistence and Espionage – The use of remote access Trojans like DcRAT indicates that the campaign’s goal is prolonged access to Ukrainian networks for intelligence-gathering and possible future sabotage.

Global Relevance – While Ukraine is the primary target, similar tactics could be used to attack organizations in other regions, especially those with lax cybersecurity practices.

Conclusion

The ongoing cyber-attacks orchestrated by Sandworm using trojanized Windows activators and fake updates present a grave threat to Ukraine’s cybersecurity landscape. These attacks not only compromise individual users but also jeopardize national security by infiltrating critical infrastructure and sensitive networks.

To counteract these threats, users must be proactive in adopting cybersecurity best practices, particularly by avoiding pirated software, maintaining updated security solutions, and staying vigilant against suspicious downloads. Governments and businesses should also implement policies to prevent unauthorized software use and enhance national cybersecurity resilience.

As cyber warfare continues to evolve, staying informed and taking decisive security measures is the best defense against sophisticated threat actors like Sandworm. Ukraine’s ongoing digital battles serve as a stark reminder of the importance of robust cybersecurity practices in an increasingly connected world.