WithSecure uncovers Kapeka, a new malware with links to Russian nation-state threat group Sandworm

PRESS RELEASE | April 17, 2024


The timing and locations in which Kapeka has been spotted – as well as the possible links with Sandworm – make it likely that its development and usage are related to the Russia-Ukraine war.

Helsinki, Finland – April 17, 2024: WithSecure™ (formerly F-Secure Business) researchers have uncovered a novel backdoor malware that has been used in attacks against victims in eastern Europe since at least mid-2022.

The malware, named Kapeka, can be linked to a group known as Sandworm, which is a prolific Russian nation-state threat group operated by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Sandworm is particularly notorious for its destructive attacks against Ukraine in pursuit of Russian interests in the region.

Kapeka is a flexible backdoor with all the necessary functionalities to serve as an early-stage toolkit for its operators, as well as providing long-term access to the victim’s estate. The malware's victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity.

Kapeka’s development and deployment follow the outbreak of the ongoing Russia-Ukraine war, with Kapeka likely used in targeted attacks of firms across central and eastern Europe since the illegal invasion of Ukraine in 2022.

“The Kapeka backdoor has raised concerns due to its association with Russian APT activity – particularly the Sandworm group. Its rarity and targeted nature, primarily observed in eastern Europe, suggests it's a bespoke tool used in limited-scope attacks. Further analysis revealed overlaps with GreyEnergy, another toolkit linked to Sandworm, reinforcing its association with the group, and highlighting potential implications for targeted entities in the region,” says Mohammad Kazem Hassan Nejad, Researcher at WithSecure Intelligence.

WithSecure last observed Kapeka in May 2023. It is uncommon for threat groups, especially nation-states, to cease operations or dispose of tooling altogether. Therefore, Kapeka's infrequent sightings can be considered testament to its meticulous usage by an advanced persistent actor (APT) in operations that span over years, such as the Russia-Ukraine war.

The full research paper is available at https://labs.withsecure.com/publications/kapeka.

WithSecure™ media relations
Inari Anttila

About WithSecure™

WithSecure™, formerly F-Secure Business, is Europe's cyber security partner of choice. Trusted by IT service providers, MSSPs, and businesses worldwide, we deliver outcome-based cyber security solutions that protect mid-market companies. Committed to the European Way of data protection, WithSecure prioritizes privacy, data sovereignty, and regulatory compliance. 

Boasting more than 35 years of industry experience, WithSecure™ has designed its portfolio to navigate the paradigm shift from reactive to proactive cyber security. In alignment with its commitment to collaborative growth, WithSecure™ offers partners flexible commercial models, ensuring mutual success across the dynamic cyber security landscape. 

Central to WithSecure's™ cutting-edge offerings is Elements Cloud which seamlessly integrates AI-powered technologies, human expertise, and co-security services. Further, it empowers mid-market customers with modular capabilities spanning endpoint and cloud protection, threat detection and response, and exposure management. 

WithSecure™ Corporation was founded in 1988, and is listed on the NASDAQ OMX Helsinki Ltd.