Skip to content

Search the site

Kapeka Russian malware surfaces in Europe

A new variant of the Kremlin-backed Sandworm software known as Kapeka has been found in the wild

Researchers have discovered a new Advanced Persistent Threat (APT) believed to be from Russia.

Known as 'Kapeka', the malware group has been active for years and can trace its roots back to another prominent Russian threat actor, according to researchers with security firm WithSecure.

Researchers from WithSecure believe that the malware is the latest development in a broader effort by the Kremlin to disrupt business in Eastern Europe in general and the Ukraine in particular.

"In mid-2023 WithSecure found several artifacts observed in an intrusion set likely linked to Russian APT activity. One of these artifacts was an
unknown backdoor/dropper detected in an Estonian logistics company in late 2022," the company said in a report provided to The Stack.

"Upon analysis, we found two additional versions of the dropped backdoor submitted to VirusTotal from Ukraine in mid-2022 and mid-2023, one
of which was packaged with a scheduled task file from an infected machine that launched the backdoor. We assessed with moderate confidence
that the submitters were victims."

According to WithSecure, in all likelihood the people behind the Kapeka attacks are the same group responsible for Sandworm, a Kremlin-backed malware operation that has been active since at least 2019 and has used a number of similar malware tools including the GreyEnergy backdoor.

"While examining the possible link between the backdoor and the Sandworm group, WithSecure noted overlaps between Kapeka and GreyEnergy,
a toolkit thought to be associated with the Sandworm group," WithSecure explained.

"Additionally, we discovered connections between Kapeka, GreyEnergy, and Prestige ransomware attacks that occurred in late 2022."

Administrators are advised to update and maintain their antimalware software and maintain a close eye for any signs of intrusion.