The Kovter malware family has been reportedly infecting systems globally since 2014. Since then, its developers have repurposed and modified Kovter multiple times, increasing the rate of infection with each new variant. Originally, Kovter was distributed as a ransomware variant that locked victims’ and threatened law enforcement response. In more recent campaigns, Kovter has been used for click-fraud and malicious advertising to generate funds for its developers. Kovter is unique because of its file-less infection abilities, concealing and storing itself in the memory of infected machines. It is then executed from the system registry via specific commands contained in registry keys to maintain persistence and avoid discovery by antivirus programs. As of October 2016, Kovter has been observed in macro-documents and sent via targeted email campaigns, avoiding detection by requiring a recipient to both enable macros and to click on an image within its contents to activate its malicious code.


  • July-August 2016: Kovter was seen in malicious Google Chrome and Mozilla Firefox updates.

  • October 2016: New Kovter trojan Variant Spreading Via Targeted Email Campaign (DarkReading and SecureSence)

  • January 2017: Locky variant also downloads Kovter trojan to the victim’s machine. Victims who pay the Locky ransom are still left with the trojan. (Threatpost)

  • February 2017: Attackers are using malicious email campaigns with .lnk attachments to spread Locky ransomware and the Kovter click-fraud trojan. (Microsoft)

  • April 2017: Nemucod trojan is delivering Kovter to victims in a USPS-themed phishing campaign, allowing attackers to gain remote access and steal personal and financial information. (MalwareBytes)

  • October 2017: Researchers discovered Kovter being distributed via a widespread malvertising campaign in which the malicious ads masquerade as a fraudulent browser or Flash update. (Proofpoint)

  • November 2018: The DOJ published a press release detailing the indictment of eight defendants for their part in the 3ve ad fraud operation that used the Kovter malware to control victim machines. Google and White Ops released a whitepaper on their investigation and take down, while DHS and FBI released a joint technical alert on the operation. 3ve caused tens of millions of dollars in losses. (Proofpoint)

Technical Details

  • Morphisec provides technical details on the Kovter trojan, available here.

Trojan VariantsNJCCICKovter, 3ve