S1190 Kapeka
Kapeka is a backdoor written in C++ used against victims in Eastern Europe since at least mid-2022. Kapeka has technical overlaps with Exaramel for Windows and Prestige malware variants, both of which are linked to Sandworm Team. Kapeka may have been used in advance of Prestige deployment in late 2022.21
| Item | Value |
|---|---|
| ID | S1190 |
| Associated Names | KnuckleTouch |
| Type | MALWARE |
| Version | 1.0 |
| Created | 06 January 2025 |
| Last Modified | 11 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| KnuckleTouch | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Kapeka utilizes HTTP for command and control.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Kapeka allows for arbitrary Windows command execution.2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Kapeka utilizes JSON objects to send and receive information from command and control nodes.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Kapeka utilizes obfuscated JSON structures for various data storage and configuration management items.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.009 | Clear Persistence | Kapeka will clear registry values used for persistent configuration storage when uninstalled.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.008 | Masquerade File Type | Kapeka masquerades as a Microsoft Word Add-In file, with the extension .wll, but is a malicious DLL file.12 |
| enterprise | T1112 | Modify Registry | Kapeka writes persistent configuration information to the victim host registry.2 |
| enterprise | T1106 | Native API | Kapeka utilizes WinAPI calls to gather victim system information.2 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | Kapeka utilizes AES-256 (CBC mode), XOR, and RSA-2048 encryption schemas for various configuration and other objects.2 |
| enterprise | T1090 | Proxy | Kapeka can identify system proxy settings via WinHttpGetIEProxyConfigForCurrentUser() during initialization and utilize these settings for subsequent command and control operations.2 |
| enterprise | T1012 | Query Registry | Kapeka queries registry values for stored configuration information.2 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Kapeka persists via scheduled tasks.12 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | Kapeka is a Windows DLL file executed via ordinal by rundll32.exe.12 |
| enterprise | T1082 | System Information Discovery | Kapeka utilizes WinAPI calls and registry queries to gather system information.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team | Kapeka is associated with Sandworm Team operations and previous malware variants such as GreyEnergy.12 |