Full Report
Cybersecurity researchers have shed light on a new campaign that has likely targeted the Russian automobile and e-commerce sectors with a previously undocumented .NET malware dubbed CAPI Backdoor. According to Seqrite Labs, the attack chain involves distributing phishing emails containing a ZIP archive as a way to trigger the infection. The cybersecurity company's analysis is based on the ZIP
Analysis Summary
# Threat Actor: Unknown Actor utilizing CAPI Backdoor (Inferred Name)
## Attribution & Identity
Attribution is not explicitly provided in the source article. The threat actor is responsible for deploying a previously undocumented .NET malware dubbed "**CAPI Backdoor**."
## Activity Summary
The actor is engaged in an ongoing campaign primarily targeting the Russian automobile and e-commerce sectors. The initial infection vector involves distributing phishing emails containing a ZIP archive. The campaign appears to have been active around October 2025 based on artifact timestamps and decoy document naming conventions.
## Tactics, Techniques & Procedures
- **Delivery:** Phishing emails containing a weaponized ZIP archive.
- **Execution:** The ZIP contains a decoy Russian-language document (tax legislation notification) and a Windows shortcut (LNK) file. The LNK file executes the malicious .NET implant ("adobe.dll") using the legitimate Microsoft binary `rundll32.exe` (Living-off-the-Land technique, likely T1218.011).
- **Defense Evasion:** Runs checks to determine if it is operating within a virtual machine environment.
- **Privilege Escalation:** The implant checks if it is running with administrator-level privileges.
- **Discovery:** Gathers a list of installed antivirus products and enumerates folder contents.
- **Exfiltration/Data Staging:** Steals data from web browsers (Chrome, Edge, Firefox), takes screenshots, and collects system information before exfiltrating results.
- **Persistence:** Establishes persistence via two methods: setting up a scheduled task and creating a LNK file in the Windows Startup folder to launch the copied DLL in the Windows Roaming folder.
## Targeting
- Sectors: Automobile and E-commerce firms.
- Geography: Russia (inferred importance based on language, targeting focus, and domain impersonation).
- Victims: Specific organizations are not named, but the targeting focuses on the Russian auto sector, suggested by the use of a domain impersonating "carprice[.]ru" (using carprlce[.]ru).
## Tools & Infrastructure
- **Malware Families Used:** CAPI Backdoor (.NET DLL implant).
- **Infrastructure (C2, domains, IPs):**
- C2 IP: 91.223.75[.]96
- Impersonation Domain: carprlce[.]ru
## Implications
This actor demonstrates an interest in financial/commercial data within Russia, utilizing commonly observed initial access vectors (phishing/LNK) and established LotL techniques to deploy novel backdoors. The CAPI Backdoor appears designed for comprehensive data theft and long-term compromise via multiple persistence mechanisms.
## Mitigations
- Enhance email scrutiny for suspicious ZIP attachments containing LNK files, especially if seemingly related to official documents or notifications.
- Implement robust Endpoint Detection and Response (EDR) capable of monitoring `rundll32.exe` execution initiated by LNK files or unusual parent processes.
- Monitor for scheduled task creation or modification of the Windows Startup folder for persistence mechanisms.
- Review network traffic targeting the identified C2 infrastructure (91.223.75[.]96).
- Deploy browser security extensions and strictly limit browser data access for unknown processes.