S1190: Kapeka
Kapeka is a backdoor written in C++ used against victims in Eastern Europe since at least mid-2022. Kapeka has technical overlaps with Exaramel for Windows and Prestige malware variants, both of which are linked to Sandworm Team. Kapeka may have been used in advance of Prestige deployment in late 2022.[1][2]
Analyst context for executives and security teams
Kapeka is a Windows backdoor documented by ATT&CK as used against victims in Eastern Europe since at least mid-2022. Its business significance is that it combines persistence, command execution, registry interaction, web-based command-and-control, proxying, and obfuscation behaviors that can let an intruder maintain access while blending into normal Windows and web traffic. For leaders, this is less about one malware name and more about whether the organization can prove it would notice a Windows host creating suspicious scheduled tasks, abusing rundll32, changing registry values, and communicating over encoded web traffic.
Executive priority
Prioritize Kapeka as a validation case for Windows endpoint visibility, SOC detection engineering, and incident response readiness. ATT&CK relates Kapeka to Sandworm Team and notes overlaps with Exaramel for Windows and Prestige, so organizations with exposure to Eastern Europe, critical operations, or destructive-threat planning should use it to test resilience assumptions without assuming local exposure. Executives should ask whether security teams can produce audit-ready evidence for endpoint process execution, registry changes, scheduled task creation/removal, and outbound web/proxy activity during an investigation.
Technical view
ATT&CK does not provide a dedicated detection section for Kapeka, so defenders should build coverage from the related behaviors: Query Registry, Modify Registry, Scheduled Task, Windows Command Shell, Native API execution, Rundll32 abuse, encrypted or encoded files, masqueraded file types, decode/deobfuscation activity, web protocol C2, standard encoded C2 data, proxy use, system information discovery, and clearing persistence artifacts. SOC teams should validate detections on Windows hosts around suspicious rundll32 command lines, unusual scheduled task creation or deletion, registry reads/writes tied to unknown processes, command shell activity launched by unexpected parents, and anomalous outbound HTTP/S patterns from endpoints.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Parent-child process relationships, especially involving cmd.exe and rundll32.exe
- Windows Scheduled Task creation, modification, execution, and deletion events
- Windows Registry query and modification telemetry
- File creation and metadata telemetry for encoded, encrypted, or masqueraded payloads
Detection direction
- Because ATT&CK provides no official Kapeka detection text, map detections to the listed techniques rather than relying on a malware-family signature alone.
- Tune rundll32 detections for unusual DLL paths, uncommon exports, suspicious parent processes, and execution from user-writable locations, while accounting for legitimate administrative and software activity.
- Correlate scheduled task activity with nearby registry modification, command shell execution, encoded files, or new outbound web connections to reduce false positives.
- Review whether registry telemetry captures both queries and modifications; many environments log writes but not enough read activity for discovery detection.
- Inspect outbound HTTP/S and proxy logs for unusual endpoint destinations, encoded payload patterns, uncommon user agents, or processes that do not normally initiate web traffic.
Mitigation priorities
- Start with visibility: ensure Windows endpoint logging, EDR, scheduled task auditing, registry auditing, and proxy/DNS logging are enabled and retained long enough for incident response.
- Harden execution paths by limiting unnecessary script and command shell use, monitoring rundll32 abuse, and controlling execution from user-writable directories where feasible.
- Apply least privilege so routine users cannot create high-impact persistence or modify sensitive registry locations without administrative control.
- Use egress controls and proxy policy to constrain unauthorized outbound web communications and improve inspection of endpoint-originated HTTP/S traffic.
- Maintain incident response playbooks for suspected backdoor activity that include persistence review, registry inspection, scheduled task triage, network containment, and evidence preservation.
Analyst notes and limits
Kapeka is a Windows malware object in ATT&CK Enterprise. The supplied relationships state that Sandworm Team uses this object and that Kapeka uses multiple Windows-relevant techniques spanning execution, persistence, discovery, defense evasion, and command-and-control. The official description cites WithSecure and Microsoft reporting and notes technical overlaps with Exaramel for Windows and Prestige. Detection guidance here is derived from the supplied ATT&CK relationships because no official Kapeka detection text was provided.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not assert current activity, customer exposure, specific indicators, exploit paths, or guaranteed detection. Local validation requires environment-specific baselines, endpoint telemetry quality checks, and review of applicable Windows logging and network monitoring coverage.
Kapeka
Kapeka is a backdoor written in C++ used against victims in Eastern Europe since at least mid-2022. Kapeka has technical overlaps with Exaramel for Windows and Prestige malware variants, both of which are linked to Sandworm Team. Kapeka may have been used in advance of Prestige deployment in late 2022.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1218.011 | Rundll32 Sub-technique | Kapeka is a Windows DLL file executed via ordinal by `rundll32.exe`.CitationMicrosoft KnuckleTouch 2024CitationWithSecure Kapeka 2024 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | Kapeka masquerades as a Microsoft Word Add-In file, with the extension `.wll`, but is a malicious DLL file.CitationMicrosoft KnuckleTouch 2024CitationWithSecure Kapeka 2024 |
| Enterprise | T1082 | System Information Discovery | Kapeka utilizes WinAPI calls and registry queries to gather system information.CitationWithSecure Kapeka 2024 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Kapeka allows for arbitrary Windows command execution.CitationWithSecure Kapeka 2024 |
| Enterprise | T1112 | Modify Registry | Kapeka writes persistent configuration information to the victim host registry.CitationWithSecure Kapeka 2024 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Kapeka persists via scheduled tasks.CitationMicrosoft KnuckleTouch 2024CitationWithSecure Kapeka 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Kapeka utilizes HTTP for command and control.CitationWithSecure Kapeka 2024 |
| Enterprise | T1070.009 | Clear Persistence Sub-technique | Kapeka will clear registry values used for persistent configuration storage when uninstalled.CitationWithSecure Kapeka 2024 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Kapeka utilizes JSON objects to send and receive information from command and control nodes.CitationWithSecure Kapeka 2024 |
| Enterprise | T1012 | Query Registry | Kapeka queries registry values for stored configuration information.CitationWithSecure Kapeka 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Kapeka utilizes obfuscated JSON structures for various data storage and configuration management items.CitationWithSecure Kapeka 2024 |
| Enterprise | T1090 | Proxy | Kapeka can identify system proxy settings via `WinHttpGetIEProxyConfigForCurrentUser()` during initialization and utilize these settings for subsequent command and control operations.CitationWithSecure Kapeka 2024 |
| Enterprise | T1106 | Native API | Kapeka utilizes WinAPI calls to gather victim system information.CitationWithSecure Kapeka 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Kapeka utilizes AES-256 (CBC mode), XOR, and RSA-2048 encryption schemas for various configuration and other objects.CitationWithSecure Kapeka 2024 |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6718778aad06… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
WithSecure Kapeka 2024
Mohammad Kazem Hassan Nejad, WithSecure. (2024, April 17). KAPEKA A novel backdoor spotted in Eastern Europe. Retrieved January 6, 2025.
Open source URL -
[2]
Microsoft KnuckleTouch 2024
Microsoft. (2024, February 14). Backdoor:Win64/KnuckleTouch.A!dha. Retrieved January 6, 2025.
Open source URL -
[3]
KnuckleTouch
(Citation: Microsoft KnuckleTouch 2024)
-
[4]
mitre-attack S1190Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.