MALWARE FAMILY💰 FINANCIALHIGH

Kovter

Internal ID: win.kovter
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Kovter is a Police Ransomware

Feb 2012 - Police Ransomware

Aug 2013 - Became AD Fraud

Mar 2014 - Ransomware to AD Fraud malware

June 2014 - Distributed from sweet orange exploit kit

Dec 2014 - Run affiliated node

Apr 2015 - Spread via fiesta and nuclear pack

May 2015 - Kovter become fileless

2016 - Malvertising campaign on Chrome and Firefox

June 2016 - Change in persistence

July 2017 - Nemucod and Kovter was packed together

Jan 2018 - Cyclance report on Persistence

Threat Analysis

Kovter is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

Financially motivated threat actors like Kovter prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, Kovter is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

External References

Quick Facts

TypeMalware Family
Motivation💰 financial
Sophisticationhigh
Aliases1

Also Known As

win.kovter

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.