Finnish security researchers have discovered a new dangerous backdoor for Windows systems, likely developed by the Russian intelligence service.

According to the Finnish security company WithSecure (formerly F-Secure Business), the new backdoor, dubbed ‘Kapeka,’ has been used in attacks against Eastern European targets since at least the middle of the year 2022.

The researchers linked the malware to Sandworm, a nation-state threat group controlled by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). The threat actor is known for its destructive cyberattacks against Ukraine involving multiple data-wiping malware such as KillDisk and Foxblade. Sandworm, which has relentlessly been targeting Ukraine since the beginning of Russia’s invasion, is believed to be behind the December 2023 hack of Kyivstar, one of Ukraine’s three biggest telecom operators.

The group’s new malware, Kapeka, is described as a flexible backdoor, equipped with all the necessary features to serve as an early-stage toolkit for its operators, while providing long-term access to the victim's domain. The backdoor likely being used in targeted attacks on businesses across Central and Eastern Europe, the researchers said.

“The Kapeka backdoor has raised concerns due to its association with Russian APT activity, particularly the Sandworm Group. Its rarity and targeted nature, mainly observed in Eastern Europe, suggest that it is a tailor-made tool used in attacks of limited scope. Further analysis revealed overlaps with GreyEnergy, another toolkit linked to Sandworm, strengthening its connection with the group and highlighting potential implications for targeted entities in the region,” said WithSecure Intelligence’s researcher Mohammad Kazem Hassan Nejad.

In February, Microsoft detected a similar backdoor, which it named ‘KnuckleTouch1.’ The tech giant attributed the malware to the Sandworm threat actor it tracks as Seashell Blizzard. According to Microsoft, the backdoor has been used in multiple campaigns distributing ransomware since at least early to mid-2022. Its functionalities include the ability to steal sensitive data such as credentials, perform additional destructive attacks, and maintain remote access to the victim’s machine.