Kovter - What it is, fileless tricks, and how to remove it safely

Kovter

What it is

Kovter is a fileless malware family best known for large-scale ad fraud. It hides in memory and the Windows registry, abuses tools like PowerShell, and phones home for commands so it can click ads, load pages in the background, and sometimes pull in extra payloads.

How it works - quick tour

  • Fileless persistence in the Windows registry with obfuscated scripts

  • Living off the land via PowerShell and scheduled tasks

  • Click fraud engine opens hidden browsers to fake views and clicks

  • Command and control updates campaigns and modules on the fly

What you may notice

  • High CPU or network use when you are idle

  • Browser opens briefly or runs hidden in the background

  • New scheduled tasks or registry run keys you did not create

  • Security tools disabled or updates failing

How it gets in

  • Phishing attachments and malvertising

  • “Free” repacks and fake software updates

  • Exploits against outdated browsers or plugins

Remove it now

  1. Disconnect from the internet to stop new commands.

  2. Run a full anti-malware scan, reboot, then scan again.

  3. Check Startup, Scheduled Tasks, and registry Run keys - remove unknown entries.

  4. Clear browser extensions, cache, and proxies you didn’t set.

  5. From a clean device, change passwords and enable MFA on key accounts.

Prevent it

  • Install software from official sources and keep Windows and browsers updated.

  • Block Office macros by default and use email and web filtering.

  • Use reputable EDR or anti-malware that monitors script behavior.

  • Limit PowerShell to signed scripts and standard user rights where possible.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Data Execution Prevention

        What it is Data Execution Prevention (DEP) is a Windows safety net that stops code from running in places it shouldn’t—like the stack or heap. If malware tries to execute from those memory areas, Windows blocks it and shuts the app down instead of ...

      • XMRig Malware

        What it is XMRig malware is a cryptominer that sneaks onto your PC and secretly mines the Monero (XMR) cryptocurrency using your CPU/GPU. You’ll notice slower performance, hot fans, and higher power bills while attackers collect the coins. It often ...

      • Malware

        What it is Malware is any software made to harm your device or data. It can steal passwords, lock your files, spy on activity, or hijack your browser. For a quick primer and examples, see our malware explainer. How it spreads Phishing emails and fake ...

      • Fileless Malware

        What it is Fileless malware runs from memory instead of dropping obvious files on your disk. It often abuses built-in tools (like PowerShell or WMI) and trusted apps, making it harder for traditional antivirus to spot. How it works You visit a ...

      • EDR (Endpoint Detection and Response)

        What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...