Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/Threats/APT Hackers Exploit RDP Servers to Deploy Malware, Establish Persistence
Threats

APT Hackers Exploit RDP Servers to Deploy Malware, Establish Persistence

Key Takeaways A sophisticated state-sponsored threat actor, known as APT-C-13 (Sandworm), has shifted its strategy from destructive attacks to long-term intelligence gathering. The group is actively...

Sarah simpson
Sarah simpson
March 24, 2026 4 Min Read
49 0

Key Takeaways

  • A sophisticated state-sponsored threat actor, known as APT-C-13 (Sandworm), has shifted its strategy from destructive attacks to long-term intelligence gathering.
  • The group is actively targeting critical infrastructure, defense organizations, and government agencies, particularly in Ukraine, by exploiting Remote Desktop Protocol (RDP) servers.
  • The attack chain leverages social engineering via a fake Microsoft Office ISO image to deploy a modular penetration framework (Tambur/Sumbur/Kalambur series).
  • Attackers establish covert persistence and exfiltrate data undetected by using legitimate Windows tools, SSH reverse tunnels, Tor, and by injecting forged root certificates.

APT-C-13 Shifts Tactics to Long-Term RDP Infiltration

One of the world’s most formidable state-backed hacking groups, identified as APT-C-13 and widely known by aliases such as Sandworm, APT44, Seashell Blizzard, and Voodoo Bear, is actively exploiting Remote Desktop Protocol (RDP) servers. This group, with a history of cyber operations dating back to at least 2009, is now focusing its efforts on critical infrastructure, defense organizations, and government agencies.

Table Of Content

  • Key Takeaways
  • APT-C-13 Shifts Tactics to Long-Term RDP Infiltration
  • Initial Infection Vector and Malware Deployment
  • Persistence Through RDP Hijacking and Covert Tunneling
  • Scheduled Tasks and Credential Theft
  • Anonymous Command and Control and Remote Access
  • Security Evasion and System Compromise
  • What You Should Do

This latest campaign signifies a notable strategic evolution for APT-C-13. Instead of executing immediate, destructive cyberattacks, the group is now prioritizing stealthy, prolonged infiltration designed to harvest intelligence over extended periods. This represents a move from “instantaneous disruption” to “intelligence-driven persistent parasitism,” a calculated shift observed between 2024 and 2026, according to researchers.

Initial Infection Vector and Malware Deployment

The campaign initiates with a deceptive ISO image, named Microsoft.Office.2025x64.v2025.iso. This malicious file is distributed primarily through Telegram channels and software cracking communities prevalent in Ukraine. Victims are lured into mounting this image and attempting to install or activate what appears to be legitimate Microsoft Office software.

Upon execution, hidden executables, disguised as auto.exe or setup.exe, are silently launched in the background. This social engineering tactic capitalizes on user trust in familiar software names. Once activated, an initial loader profiles the compromised system before selectively deploying additional malicious modules.

Analysts at the 360 Threat Intelligence Center, specifically Weixin, have meticulously tracked this campaign. They confirmed that APT-C-13 is deploying a sophisticated modular penetration framework, collectively referred to as the Tambur/Sumbur/Kalambur series. A confirmed victim includes a technician at a Ukrainian state-owned shipbuilding and machinery manufacturing plant, where the attackers had already established deep, covert access.

The gravity of this campaign is substantial. A primary concern is the attackers’ reliance on legitimate Windows tools, including scheduled tasks, SSH, PowerShell, and RDP. This tactic often allows the malicious activity to bypass detection by conventional antivirus solutions, leaving organizations vulnerable for prolonged periods. The group’s patient approach means they can remain embedded for months, slowly exfiltrating sensitive data from within an organization’s trusted network. By the time an intrusion is detected, the attackers have likely already achieved their intelligence objectives.

Persistence Through RDP Hijacking and Covert Tunneling

A critical aspect of this campaign is the attackers’ advanced methods for establishing and maintaining covert, long-term persistence within compromised environments.

Scheduled Tasks and Credential Theft

The Tambur module plays a key role in persistence by creating scheduled tasks named “Tambur” and “Protector.” These tasks are strategically placed within the MicrosoftWindowsWDIProtector path, a location designed to mimic a native Windows Diagnostic Infrastructure component, thereby evading suspicion. These tasks execute with full administrator-level privileges and utilize a hardcoded password, 1qaz@WSX, to ensure constant and uninterrupted access to the RDP service on the infected host.

Anonymous Command and Control and Remote Access

The Kalambur and Sumbur modules further enhance operational security by routing all command-and-control (C2) traffic through the Tor anonymous network, effectively concealing the attackers’ true geographical location. Leveraging SSH reverse tunneling, the attackers map the victim’s RDP port (3389) to a remote C2 server. This technique allows for silent remote logins from any global location. Sumbur, an improved iteration of this framework, masquerades as Microsoft Edge’s update service, storing malicious VBScripts in a fake Edge update directory and triggering them every four hours to blend seamlessly with routine software update activities.

Security Evasion and System Compromise

The attack concludes with the DemiMur module, which injects a forged root certificate named DemiMurCA.crt into the system’s trusted certificate store. This critical step causes Windows to treat all subsequent malicious payloads as fully trusted and signed. Coupled with forced Microsoft Defender exclusions that encompass the entire C drive, the host’s native security mechanisms are completely neutralized, providing the attackers with an unmonitored and undetected operating environment.

What You Should Do

  • Block Unauthorized Software: Immediately implement policies to block third-party activation tools and unauthorized ISO images from entering network environments.
  • Enhanced Network Monitoring: Implement robust internal network behavior monitoring, focusing on scheduled task creation, registry modifications, and PowerShell execution for anomalous activity.
  • Endpoint Security: Ensure all endpoint security solutions are fully updated and configured for regular, comprehensive scans. Consider advanced endpoint detection and response (EDR) solutions.
  • Strengthen Auditing: Key institutions and industrial organizations should enhance internal auditing practices and develop specific detection rules targeting unusual RDP and SSH activity patterns.
  • User Awareness Training: Educate users about the risks of downloading and executing software from unofficial sources, particularly those promising “cracked” or free versions of commercial software.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical Flaw in Microsoft Azure OMIGOD Vulnerability Lets Attackers Execute Code

Next Post

New PureHVNC Malware Campaign Uses Google Forms to Lure Victims

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us