Russian APT Deploys New ‘Kapeka’ Backdoor in Japanese European Assaults

Apr 17, 2024NewsroomRansomware / Cyber Espionage

Russian APT

A beforehand undocumented “versatile” backdoor known as Kapeka has been “sporadically” noticed in cyber assaults concentrating on Japanese Europe, together with Estonia and Ukraine, since at the least mid-2022.

The findings come from Finnish cybersecurity agency WithSecure, which attributed the malware to the Russia-linked superior persistent risk (APT) group tracked as Sandworm (aka APT44 or Seashell Blizzard). Microsoft is monitoring the identical malware underneath the title KnuckleTouch.

“The malware […] is a versatile backdoor with all the mandatory functionalities to function an early-stage toolkit for its operators, and likewise to offer long-term entry to the sufferer property,” safety researcher Mohammad Kazem Hassan Nejad said.

Kapeka comes fitted with a dropper that is designed to launch and execute a backdoor element on the contaminated host, after which it removes itself. The dropper can be liable for establishing persistence for the backdoor both as a scheduled job or autorun registry, relying on whether or not the method has SYSTEM privileges.


Microsoft, in its personal advisory launched in February 2024, described Kapeka as concerned in a number of campaigns distributing ransomware and that it may be used to hold out quite a lot of features, resembling stealing credentials and different knowledge, conducting harmful assaults, and granting risk actors distant entry to the system.

The backdoor is a Home windows DLL written in C++ and options an embedded command-and-control (C2) configuration that is used to ascertain contact with an actor-controlled server and holds details about the frequency at which the server must be polled with the intention to retrieve instructions.

Apart from masquerading as a Microsoft Word add-in to make it seem real, the backdoor DLL gathers details about the compromised host and implements multi-threading to fetch incoming directions, course of them, and exfiltrate the outcomes of the execution to the C2 server.

Russian APT

“The backdoor makes use of WinHttp 5.1 COM interface (winhttpcom.dll) to implement its community communication element,” Nejad defined. “The backdoor communicates with its C2 to ballot for duties and to ship again fingerprinted info and job outcomes. The backdoor makes use of JSON to ship and obtain info from its C2.”

The implant can be able to updating its C2 configuration on-the-fly by receiving a brand new model from the C2 server throughout polling. A number of the primary options of the backdoor permit it to learn and write information from and to disk, launch payloads, execute shell instructions, and even improve and uninstall itself.

The precise technique by way of which the malware is propagated is at the moment unknown. Nevertheless, Microsoft noted that the dropper is retrieved from compromised web sites utilizing the certutil utility, underscoring the usage of a professional living-off-the-land binary (LOLBin) to orchestrate the assault.


Kapeka’s connections to Sandworm come conceptual and configuration overlaps with beforehand disclosed households like GreyEnergy, a possible successor to the BlackEnergy toolkit, and Status.

“It’s doubtless that Kapeka was utilized in intrusions that led to the deployment of Status ransomware in late 2022,” WithSecure stated. “It’s possible that Kapeka is a successor to GreyEnergy, which itself was doubtless a substitute for BlackEnergy in Sandworm’s arsenal.”

“The backdoor’s victimology, rare sightings, and stage of stealth and class point out APT-level exercise, extremely doubtless of Russian origin.”

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.