Thursday 25 September 09:30 - 10:00, Green room
Arda Büyükkaya (EclecticIQ)
This talk presents original threat research on a Russian military intelligence (GRU)-linked cyber espionage and disruption campaign very likely conducted by Sandworm (APT44), which has weaponized Ukraine's widespread use of pirated software. Since late 2023, Sandworm has distributed trojanized Microsoft KMS activators and fake Windows updates through Ukrainian-speaking torrent sites and forums, embedding malware directly into tools commonly used to bypass licensing restrictions. This social engineering strategy enabled precise targeting of economically vulnerable Ukrainian users – spanning civilians, businesses, and potentially government institutions – while evading conventional security controls.
Attendees will gain exclusive insight into three malware families central to this campaign: BACKORDER, a GO-based loader that disables Windows Defender and deploys Dark Crystal RAT (DcRAT) for espionage and data theft, and Kalambur, a previously unreported backdoor disguised as a Microsoft update. Kalambur is notable for its redundant persistence mechanisms: it establishes a TOR-based reverse shell via curl.exe, enables RDP through hidden admin accounts, and installs an SSH server – all of which allow attackers to retain access even after detection of the Kalambur malware.
This talk delivers a deep dive into Kalambur, backed by strong attribution to Sandworm based on metadata overlaps in C2 infrastructure and forgotten Russian-language usage in source code comments.
By the end of the session, defenders will walk away with actionable IOCs, YARA and Sigma rules, and detailed pivoting methods using VirusTotal and other public tools. This research provides actionable insights into both the initial and post-compromise tactics of GRU-linked actors, demonstrating how widespread software piracy within a nation can be weaponized as a scalable and low-cost initial access vector.
 |
Arda Büyükkaya Arda is a senior cyber threat intelligence analyst and cybersecurity professional with a proven track record of delivering actionable intelligence that empowers Fortune 500 companies, government agencies, and policymakers to make strategic and informed security decisions. Specializing in tracking and countering financially motivated cybercriminals and nation-state threat actors, Arda has successfully combined expertise in threat analysis, malware investigations, incident response, and strategic intelligence reporting to proactively defend critical infrastructure and financial institutions. Arda frequently engages with international cybersecurity communities and industry forums, sharing knowledge on advanced adversary tactics, best practices in CTI and ransomware ecosystems. |
Back to VB2025 conference page