Cybersecurity researchers have uncovered a new campaign targeting the Russian automobile and e-commerce sectors, which employs a previously unidentified .NET malware known as CAPI Backdoor. The attack methodology involves distributing phishing emails that contain a ZIP file, leading to infections. Seqrite Labs noted that the ZIP file was uploaded to VirusTotal on October 3, 2025.
Inside the ZIP archive is a decoy document written in Russian, claiming to be a notification regarding income tax legislation, accompanied by a Windows shortcut (LNK) file. This LNK file, sharing the same name as the ZIP archive, executes the .NET implant coded as "adobe.dll" via a legitimate Microsoft process known as "rundll32.exe." This method, which involves exploiting existing system binaries, is commonly employed by threat actors as part of living-off-the-land tactics.
The CAPI Backdoor malware features multiple functionalities: it checks for administrator-level access, detects installed antivirus software, and opens the decoy document to create a diversion while it stealthily connects to a remote server at "91.223.75.96" for further commands.
Once operational, the malware is capable of stealing data from browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox, taking screenshots, collecting system information, and enumerating directory contents to exfiltrate the results. It also conducts extensive checks to confirm whether it is running on a legitimate machine or in a virtual environment.
To ensure its persistence, the malware employs two strategies: it creates a scheduled task and establishes a shortcut in the Windows Startup folder, ensuring that the backdoor activates upon the next system boot. Researchers identified that the campaign was directed towards the Russian automobile sector based on a domain linked to the campaign, "carprlce.ru," which mimics the actual website "carprice.ru."
The malicious payload is a .NET DLL that operates as a stealer and sets the stage for ongoing malicious activities, as highlighted by researchers Priya Patel and Subhajeet Singha.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.