Cybersecurity researchers have highlighted a new campaign that likely targeted the Russian automobile and e-commerce sectors with previously unknown .NET malware. CAPI Backdoor,
According to Secrite Labs, the attack chain involves delivering phishing emails containing zip archives as a way to trigger the infection. The cybersecurity company’s analysis is based on a ZIP artifact that was uploaded to the VirusTotal platform on October 3, 2025.
Present with the archive is a fake Russian-language document claiming to be a notification related to income tax law and a Windows shortcut (LNK) file.
The LNK file, which has the same name as the zip archive (i.e., “Пераскат звегайной пратля 01.10.2025”), is responsible for the execution of the .NET implementer (“adobe.dll”) using a legitimate Microsoft binary named “rundll32.exe”. Living-off-the-Land (LoTL) techniques have been known to be adopted by threat actors.
The backdoor comes with functions to check if it’s running with administrator-level privileges, gather a list of installed antivirus products, and open the decoy document as a trick while it silently connects to a remote server (“91.223.75″), Secrete said.[.]96”) to receive further orders for execution.
The commands allow the CAPI backdoor to steal data from web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox; Take a screenshot; collect system information; Count folder contents; And send the results back to the server.
It also attempts to run a long list of checks to determine whether it is a legitimate host or virtual machine, and uses two methods to establish persistence, including setting up a scheduled task and creating a lnk file in the Windows Startup folder to automatically launch the backdoor DLL copied to the Windows Roaming folder.
Secrete assesses that the threat actor is targeting the Russian automobile sector, based on the fact that one of the domains associated with the campaign is named CarPrals.[.]ru, which appears to be impersonating the legitimate “CarPrice”[.]Are you.”
Researchers Priya Patel and Subhajit Singha said, “The malicious payload is a .NET DLL that acts as an evasion and establishes persistence for future malicious activities.”
