Finnish security researchers have found a dangerous backdoor for Windows systems. Malware disguises itself as a plugin.

Windows programs affected by Russian cyberattacks Photo: imago

HELSINKI dpa | Security company WithSecure has discovered previously unknown malware that installs a virtual backdoor on certain Windows systems and makes them vulnerable to cyberattacks. The malware, codenamed “Kapeka”, could be linked to the Russian threat group “Sandworm”, operated by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), the Finnish company said. “Sandworm” is particularly known for its destructive attacks against Ukraine.

WithSecure's findings were confirmed by Microsoft. The American software company runs the malware under the name “KnuckleTouch.” Rüdiger Trost, a security expert at WithSecure, called the discovery a “major blow against Russia, which has used this backdoor in Ukraine and Eastern Europe.”

“With this revelation, the Russian secret service is missing an important back door, because the loopholes that have been created now will be found and closed in no time. Russia thus loses its effectiveness in the accompanying cyberwar.” the conventional war between Russia and Ukraine, Trost said.

According to additional information from WithSecure, the malware disguises itself as an extension (“add-on”) for the Microsoft Word word processor. The backdoor is not distributed en masse, but rather very selectively. “The Kapeka backdoor… is probably a custom-made tool used in limited-scale attacks,” said Mohammad Kazem Hassan Nejad, security researcher at WithSecure Intelligence. The attack tool has been used in Eastern Europe since mid-2022.