APT / THREAT GROUP💰 FINANCIALHIGH

Kovter

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Kovter is a Police Ransomware

Feb 2012 - Police Ransomware

Aug 2013 - Became AD Fraud

Mar 2014 - Ransomware to AD Fraud malware

June 2014 - Distributed from sweet orange exploit kit

Dec 2014 - Run affiliated node

Apr 2015 - Spread via fiesta and nuclear pack

May 2015 - Kovter become fileless

2016 - Malvertising campaign on Chrome and Firefox

June 2016 - Change in persistence

July 2017 - Nemucod and Kovter was packed together

Jan 2018 - Cyclance report on Persistence

Threat Analysis

Kovter is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like Kovter prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, Kovter is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Aliases2

Also Known As

Kovterwin.kovter

External Intelligence

Malpedia: win.kovter

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.