Keypoints
- WithSecure uncovered Kapeka, a previously undocumented backdoor observed in Eastern Europe since at least mid‑2022.
- Kapeka is designed as a flexible backdoor that serves both as an early‑stage toolkit and for maintaining long‑term access to victim environments.
- The malware package includes a dropper component that installs and launches the backdoor and then removes the dropper binary from the host.
- Once active, the backdoor collects system and user fingerprints and transmits these details to operators.
- The backdoor supports receiving tasks and configuration updates from its operators via a command channel.
- Analysis found overlaps between Kapeka, GreyEnergy, and Prestige ransomware incidents, linking Kapeka to operations attributed to Sandworm.
MITRE Techniques
- [T1105] Ingress Tool Transfer – The dropper transfers and installs the backdoor on the victim host (‘Kapeka contains a dropper that will drop and launch a backdoor on a victim’s machine…’).
- [T1070.004] Indicator Removal on Host: File Deletion – The installer removes itself after deployment (‘…and then remove itself.’).
- [T1082] System Information Discovery – The backdoor gathers host and user fingerprints for reconnaissance (‘…will first collect information and fingerprint both the machine and user…’).
- [T1071] Application Layer Protocol – Collected data is sent to operators and the implant can receive tasks or configuration updates over its command channel (‘…before sending the details on to the threat actor. This allows tasks to be passed back to the machine or the backdoor’s configuration to be updated.’).
- [T1547] Boot or Logon Autostart Execution (persistence) – The backdoor is used to provide long‑term access to the victim environment (‘…and also to provide long-term access to the victim estate.’).
Indicators of Compromise
- [No explicit IOCs in article] The summary does not list IPs, domains, file names, or hashes; the linked WithSecure technical report contains detailed IOCs such as file hashes, C2 domains, and sample filenames – https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf
Kapeka is delivered via a dropper that writes and executes a backdoor payload on the target host and then deletes the installer to minimize traces. The installed backdoor performs host and user fingerprinting—collecting system details and user information—and transmits those results to the operator to enable follow‑up actions.
After initial reconnaissance, the implant maintains a command channel that allows operators to push tasks and configuration changes to the backdoor, enabling both early‑stage engagement (toolkit deployment) and sustained access. The implant’s design emphasizes stealth and modularity to support targeted, long‑running intrusions.
Analysts noted operational overlaps between Kapeka, GreyEnergy, and Prestige incidents; while propagation details are not provided in the summary, the full WithSecure technical report includes sample hashes, network indicators, and deeper behavioral analysis for detection and hunting.
Read more: https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf