{
	"id": "c2e5ff65-dc03-44d1-89af-c3c0212e3032",
	"created_at": "2026-04-06T00:22:22.393643Z",
	"updated_at": "2026-04-10T03:37:08.799052Z",
	"deleted_at": null,
	"sha1_hash": "973ae8db6491e9c7813ce34a81842ced7d496aa5",
	"title": "俄罗斯APT在东欧攻击中部署新的“Kapeka”后门 | CTF导航",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 508978,
	"plain_text": "俄罗斯APT在东欧攻击中部署新的“Kapeka”后门 | CTF导航\r\nArchived: 2026-04-05 14:12:56 UTC\r\n大家好，我是紫队安全研究。建议大家把公众号“紫队安全研究”设为星标，否则可能就无法及时看到\r\n啦！因为公众号现在只对常读和星标的公众号才能大图推送。操作方法：先点击上面的“紫队安全研\r\n究”，然后点击右上角的【…】,然后点击【设为星标】即可。\r\n俄罗斯APT在东欧攻击中部署新的“Kapeka”后门\r\n摘要：据芬兰网络安全公司WithSecure称，一种名为Kapeka的以前未记录的“灵活”后门已经在至少从2022\r\n年中期以来针对东欧，包括爱沙尼亚和乌克兰的网络攻击中“零星”出现。\r\n该发现来自芬兰网络安全公司WithSecure，该公司将这种恶意软件归因于与俄罗斯相关的高级持续性威胁\r\n（APT）组织，被追踪为沙虫（又名APT44或海螺暴风雪）。微软将同一恶意软件跟踪名称命名为\r\nKnuckleTouch。\r\n安全研究人员Mohammad Kazem Hassan Nejad表示：“该恶意软件是一个灵活的后门，具有作为操作员早\r\n期工具包所需的所有功能，并且还能够为受害者提供长期访问权限。”\r\nKapeka配备了一个分发程序，旨在在感染的主机上启动和执行后门组件，然后将其自身移除。该分发程\r\n序还负责为后门设置持久性，可以作为计划任务或自动运行注册表进行设置，具体取决于进程是否具有\r\nSYSTEM特权。\r\n微软在其于2024年2月发布的公告中描述Kapeka参与了多次分发勒索软件的活动，并且可以用于执行各种\r\n功能，例如窃取凭据和其他数据、进行破坏性攻击，并授予威胁行为者对设备的远程访问权限。\r\n后门是一个使用C++编写的Windows DLL，具有嵌入式的命令和控制（C2）配置，用于与操作者控制的\r\n服务器建立联系，并保存有关需要定期轮询服务器以检索命令的频率的信息。\r\n除了伪装成Microsoft Word插件以使其看起来真实外，后门DLL还收集有关受感染主机的信息，并实现多\r\n线程以获取传入指令、处理它们，并将执行结果传输到C2服务器。\r\n“后门使用WinHttp 5.1 COM接口（winhttpcom.dll）来实现其网络通信组件，”Nejad解释道。“后门与其C2\r\n通信以轮询任务并将指纹信息和任务结果发送回来。后门利用JSON从其C2发送和接收信息。”\r\n该植入物还能够在轮询期间从C2服务器接收新版本以即时更新其C2配置。后门的一些主要功能允许它从\r\n磁盘读取和写入文件，启动载荷，执行shell命令，甚至升级和卸载自身。\r\n目前尚不清楚该恶意软件传播的确切方法。但微软指出，分发程序是使用certutil实用程序从被入侵的网站\r\n检索的，强调了使用合法的Living-off-the-Land二进制（LOLBin）来组织攻击。\r\nKapeka与Sandworm的联系体现在与先前披露的家族如GreyEnergy和Prestige等概念和配置的重叠。\r\n“很可能Kapeka曾在导致2022年底部署Prestige勒索软件的入侵中使用，”WithSecure表示。“Kapeka很可能\r\n是GreyEnergy的后继者，后者本身很可能是Sandworm的工具库中BlackEnergy的替代品。”\r\nhttps://www.ctfiot.com/183017.html\r\nPage 1 of 2\n\n“后门的受害者、偶发出现、隐秘和复杂程度表明APT级别的活动，极有可能是俄罗斯的。”\r\n欢迎喜欢文章的朋友点赞、转发、赞赏，你的每一次鼓励，都是我继续前进的动力。\r\n原文始发于微信公众号（紫队安全研究）：俄罗斯APT在东欧攻击中部署新的“Kapeka”后门\r\nSource: https://www.ctfiot.com/183017.html\r\nhttps://www.ctfiot.com/183017.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "ZH",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.ctfiot.com/183017.html"
	],
	"report_names": [
		"183017.html"
	],
	"threat_actors": [
		{
			"id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb",
			"created_at": "2023-01-06T13:46:38.82716Z",
			"updated_at": "2026-04-10T02:00:03.113893Z",
			"deleted_at": null,
			"main_name": "GreyEnergy",
			"aliases": [],
			"source_name": "MISPGALAXY:GreyEnergy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434942,
	"ts_updated_at": 1775792228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/973ae8db6491e9c7813ce34a81842ced7d496aa5.pdf",
		"text": "https://archive.orkl.eu/973ae8db6491e9c7813ce34a81842ced7d496aa5.txt",
		"img": "https://archive.orkl.eu/973ae8db6491e9c7813ce34a81842ced7d496aa5.jpg"
	}
}