Sandworm’s New Arsenal: Kapeka Backdoor Technical Analysis

This blog post comes from the Sandworm’s New Arsenal: Kapeka Backdoor Technical Analysis report. If you want to download it as a PDFclick here

Executive Summary

Kapeka’s victim profiling, marked by its rarity and high level of secrecy and complexity, indicates operations at the level of an Advanced Persistent Threat (APT). The Kapeka Backdoor is identified as malware attributed to the Sandworm group.

The Sandworm APT group is a cyber threat actor often associated with the Russian state, engaging in cyber espionage and espionage activities. The group uses numerous infiltration techniques, such as malware, backdoor entries, and malicious email campaigns, to gain access to targets. It is known that this group often develops specialized malware designed to achieve long-term access and comprehensive monitoring, thereby expanding its arsenal.

Kapeka, a highly advanced threat, can infiltrate the target system through dropper software, ensuring long-term persistence. Its capabilities include conducting reconnaissance on the infected system and user, gathering information, creating additional files on the target system to run payloads sent by the attacker, removing existing malware installations and configurations, and sending the collected information to a remote server controlled by the attacker using the RSA algorithm.

The implications of this malware are not limited to providing attackers with an early toolset. It also grants them long-term access to the victim’s network, potentially leading to severe and prolonged damage. This underscores the critical importance of understanding and mitigating this threat.

SandWorm APT Group Cyber Intelligence Report

The Russian state–supported Sandworm APT group is discussed in this report prepared by the Brandefense threat intelligence team.


FiletypeWin32 EXE
Written LanguageC/C++
First Seen / Detection Date28.06.2022
Initial Infection VectorUnknown
Table 1: Dropper Signatures
FiletypeWin32 DLL
Written LanguageC/C++
First Seen / Detection Date28.06.2022
Initial Infection VectorDropper
Table 2: Kapeka Backdoor Signatures

Mitigation Strategies

Watch for unexpected or suspicious processes, especially those launched by rundll32 or cmd.exe, which Kapeka commonly uses for executing and maintaining persistence.

Limit administrative privileges for users. Kapeka attempts various operations that require elevated privileges. By applying the principle of least privilege, you can limit what can be executed with non-administrative accounts.

Kapeka DLL is saved in the \LOCALAPPDATA\Microsoft directory with a random name and a .wll file extension. The presence of files with .wll extension in the target directory should be checked.

Kapeka backdoor uses the registry’s Run Keys to ensure persistence. The records made on these keys must be monitored to observe Kapeka’s presence.

Kapeka Dropper creates a BAT file in the C:\Users\username\AppData directory responsible for deleting itself to leave no trace in the file system. BAT file is also named randomly. The presence of such a file in the target directory may indicate the presence of the dropper responsible for running the Kapeka DLL.

We do not currently have information about how the infection chain started or how the first access was obtained, but Sandworm can use techniques such as phishing emails, compromised accounts, and vulnerabilities detected in services open to the internet, with reference to the characteristics of the threat actor.


This report provides a detailed technical analysis of the Kapeka backdoor malware developed by the Sandowm group. The malware includes a series of sophisticated capabilities. Kapeka is notable for its ability to deeply infiltrate target systems and exfiltrate data and its remote command and control functions. Malware poses a serious threat, particularly to organizations with information security vulnerabilities.

Our analysis has thoroughly examined Kapeka’s code structure, communication protocols, and behavioral characteristics, providing critical insights into how the malware propagates. This information can assist organizations in developing more effective protective strategies. Notably, the malware’s stealth techniques necessitate enhancements in alert systems to make them more sensitive.

Kapeka backdoor is a testament to its operations’ sophistication and commitment to long-term persistence, traits that align with those of an Advanced Persistent Threat (APT) group. Its architecture, featuring a multi-stage deployment with both dropper and backdoor functionalities, allows it to conduct initial reconnaissance and maintain access to targeted systems undetected. Its ability to execute arbitrary commands, manage files, and communicate securely with its command-and-control servers equips it to carry out a wide range of malicious activities, from data theft to delivering secondary payloads.

This blog post comes from the Sandworm’s New Arsenal: Kapeka Backdoor Technical Analysis report. If you want to download it as a PDFclick here

Share This: