{
	"id": "55dfbb42-ab6e-4ae2-abec-07d95d74f12f",
	"created_at": "2026-04-06T00:22:24.495294Z",
	"updated_at": "2026-04-10T03:30:57.172952Z",
	"deleted_at": null,
	"sha1_hash": "ac13433846dca5a1b4f3c1bb5151b7692a204db4",
	"title": "KOVTER: An Evolving Malware Gone Fileless",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 876037,
	"plain_text": "KOVTER: An Evolving Malware Gone Fileless\r\nArchived: 2026-04-05 22:09:02 UTC\r\nby John Sanchez (Trend Micro Threat Researcher)\r\nWhile a large number of malware come and go, rarely seen after their initial campaigns, some have remained\r\nstrong through the years. A common feature of the most persistent malware is their ability to evolve: their initial\r\ninfection methods, behaviors and payloads rarely stay unchanged.\r\nKOVTER (detected by Trend Micro as KOVTER family) is one example of a constantly evolving malware.\r\nInitially starting out as a police ransomware, it eventually evolved into a much more effective and evasive fileless\r\nmalware. Here is a closer look at KOVTER, as well as tips on how organizations can lessen its impact in case of\r\ninfection.\r\n[Read more: How are fileless threats abusing PowerShell?news article]\r\nHow has KOVTER evolved over the years?\r\nThe malware known as KOVTER has gone through various changes during its lifespan.\r\nThe earliest reportsnews article of the malware pegged it as a police ransomware, where it remained in a target\r\nsystem waiting for the right opportunity—usually when the user downloaded illegal files. Once triggered, it\r\nnotifies the user of illegal activity along with a “fine”, which equates to its ransom demand. However, this early\r\nversion was not too effective, as it required the correct set of conditions and could easily be detected and removed.\r\nThe second, and perhaps most visible variant of KOVTER was that of a click fraud malware. This variant used\r\ncode injection to infect its target, after which it stole information that it then sent to its Command \u0026 Control\r\n(C\u0026C) servers.\r\nIn 2015, KOVTER evolved again into a fileless malware, which it did via the installation of autorun registry\r\nentries. It evolved further in 2016, adding file components and registry entries that made use of a shell spawning\r\ntechnique to read the malicious registry entry.\r\nHow does the current KOVTER variant work?\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless\r\nPage 1 of 4\n\nFigure 1: KOVTER infection flow\r\nOne of the most common infection methods for KOVTER is via attachments coming from macro-based malicious\r\nspam. Once the malicious attachment—usually compromised Microsoft Office files—are clicked, the malware\r\ninstalls a shortcut file, batch file, and a random file with a random file extension in a randomly named folder\r\nusually located in %Application Data% or %AppDataLocal%. Registry entries based on the random file extension\r\nare also installed in Classes Root to direct the execution of the random file into reading a registry entry. These\r\ncomponents are used to perform the malware's shell-spawning technique.\r\nFor the next part, the registry entry for the random file is created, containing malicious scripts that perform\r\nKOVTER’s processes. This means that the moment the infected machine restarts or either the shortcut or batch\r\nfiles are triggered, the malicious script in the registry entry is loaded into memory. The malicious script contains a\r\nshell code that the malware injects into the PowerShell process. The shell code will then decrypt a registry entry\r\nlocated in the same registry key. This registry entry is a binary file that is injected into a spawned process (usually\r\nregsvr32.exe). The spawned regsvr32.exe would then try to connect various URLs as a part of its click fraud\r\nactivity.\r\nUpon installation of all these file components and registry entries, the malware spawns a watchdog process that\r\ncontinuously monitors the existence of these components.\r\nHow can organizations mitigate the impact of KOVTER?\r\nGiven its almost fileless technique, KOVTER has become much more difficult to detect and mitigate. However,\r\nthere are some things organizations can do to mitigate the malware’s impact. Here are some examples of effective\r\nmitigation techniques:\r\nDue to its arrival via spam mail, the organization should look into implementing policies that protect\r\nagainst email threats.news- cybercrime-and-digital-threatsThis includes setting up anti-spam filters that can\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless\r\nPage 2 of 4\n\nblock malicious emails before they can even reach the endpoint user.\r\nOne of the simplest and most effective ways to stop fileless malware is to apply security updates as soon as\r\nthey are available. Organizations should ensure that their systems have the latest updates to prevent being\r\ninfected by fileless malware—especially those that exploit vulnerabilities.\r\nPowerShell is frequently abused by fileless malwarenews article, thus organizations should take necessary\r\nprecautions to secure this component. This includes implementing steps  on properly utilizing PowerShell\r\nin operational or cloud environments. Organizations can also list triggers for detection, which can be based\r\non commands known to be used by malicious PowerShell scripts. Threat actors, for instance, often use the\r\n“^” symbol to obfuscate their command prompt parameters when invoking PowerShell. Organizations can\r\nalso consider disabling PowerShell itself if necessary.\r\nWhile fileless malware is more difficult to detect, organizations should still put in the effort to monitor and\r\nsecure all their endpoints. Using firewalls and solutions that can monitor inbound and outbound network\r\ntraffic can go a long way towards preventing fileless malware from infecting an organization.\r\nFinally, organizations should implement multilayered security solutions such as Trend Micro™ Deep\r\nDiscovery™, which provides detection, in-depth analysis, and proactive response to today’s stealthy\r\nmalware and targeted attacks in real-time. It provides a comprehensive defense tailored to protect\r\norganizations against targeted attacks and advanced threats through specialized engines,\r\ncustom sandboxing, and seamless correlation across the entire attack lifecycle. In addition, Trend Micro™\r\nDeep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from threats\r\nthat abuses vulnerabilities. OfficeScanproducts’s Vulnerability Protection shield endpoints from identified\r\nand unknown vulnerability exploits even before patches are deployed.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless\r\nPage 3 of 4\n\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless"
	],
	"report_names": [
		"kovter-an-evolving-malware-gone-fileless"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434944,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ac13433846dca5a1b4f3c1bb5151b7692a204db4.pdf",
		"text": "https://archive.orkl.eu/ac13433846dca5a1b4f3c1bb5151b7692a204db4.txt",
		"img": "https://archive.orkl.eu/ac13433846dca5a1b4f3c1bb5151b7692a204db4.jpg"
	}
}