Oct 18, 2025Ravie LakshmananThreat Intelligence / Cybercrime
Cybersecurity researchers have make clear a brand new marketing campaign that has doubtless focused the Russian car and e-commerce sectors with a beforehand undocumented .NET malware dubbed CAPI Backdoor.
In accordance with Seqrite Labs, the assault chain includes distributing phishing emails containing a ZIP archive as a approach to set off the an infection. The cybersecurity firm’s evaluation is predicated on the ZIP artifact that was uploaded to the VirusTotal platform on October 3, 2025.
Current with the archive is a decoy Russian-language doc that purports to be a notification associated to earnings tax laws and a Home windows shortcut (LNK) file.
The LNK file, which has the identical title because the ZIP archive (i.e., “Перерасчет заработной платы 01.10.2025”), is accountable for the execution of the .NET implant (“adobe.dll”) utilizing a official Microsoft binary named “rundll32.exe,” a living-off-the-land (LotL) approach recognized to be adopted by risk actors.
The backdoor, Seqrite famous, comes with capabilities to examine if it is working with administrator-level privileges, collect an inventory of put in antivirus merchandise, and open the decoy doc as a ruse, whereas it stealthily connects to a distant server (“91.223.75[.]96”) to obtain additional instructions for execution.
The instructions enable CAPI Backdoor to steal information from internet browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox; take screenshots; accumulate system info; enumerate folder contents; and exfiltrate the outcomes again to the server.
It additionally makes an attempt to run a protracted record of checks to find out if it is a official host or a digital machine, and makes use of two strategies to determine persistence, together with organising a scheduled activity and making a LNK file within the Home windows Startup folder to robotically launch the backdoor DLL copied to the Home windows Roaming folder.
Seqrite’s evaluation that the risk actor is focusing on the Russian car sector is right down to the truth that one of many domains linked to the marketing campaign is known as carprlce[.]ru, which seems to impersonate the official “carprice[.]ru.”
“The malicious payload is a .NET DLL that capabilities as a stealer and establishes persistence for future malicious actions,” researchers Priya Patel and Subhajeet Singha mentioned.
