Kovter is a malware family targeting Windows that, per Malwarebytes, has 'many faces' — its main variants are aimed at ad/click fraud and are hard to detect and remove because they use fileless infection methods. It usually arrives as a macro in a Word document email attachment; when the macro runs, it downloads a file that creates a PowerShell command stored in the Windows registry to gain persistence, after which the dropped file deletes itself. Over its history Kovter evolved through police-themed ransomware and downloader roles before becoming known for click fraud.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1112 T1059.001 T1027.011 T1547.001 T1055
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_KOVTER {
meta:
description = "Detects Kovter (click_fraud)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "kovter" ascii wide nocase
$s2 = "kovter" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Kovter Activity
id: 6f91e55fc316078dad154e3fc2b92a4b
status: experimental
description: Detects generic indicators of the kovter malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*kovter*"
- "*kovter*"
condition: selection
level: mediumA Windows malware family best known for ad/click fraud, notable for using fileless techniques that make it hard to detect and remove.
It stores its persistence mechanism as a PowerShell command in the Windows registry rather than as an ordinary file, and the dropped file deletes itself, leaving little on disk.
It usually arrives as a macro inside a Word document email attachment; running the macro downloads and sets up the malware.
Its main variants perform ad/click fraud; over time it has also been associated with ransomware and downloader behavior.
Disable Office macros from untrusted documents, be cautious with email attachments, and use reputable security software.
Malwarebytes maintains a Trojan.Kovter detection page, linked on this page.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/kovter.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.