CAPI Backdoor
Cybersecurity researchers have uncovered a new malware campaign aimed at the Russian automobile and e-commerce sectors. The attack leverages a previously undocumented .NET malware, now identified as CAPI Backdoor, which demonstrates advanced evasion and data theft techniques.
Table of Contents
Infection Vector: Phishing and ZIP Archives
The infection chain begins with phishing emails carrying a ZIP archive. Analysis of a ZIP artifact dated October 3, 2025, revealed a decoy Russian-language document posing as a notification related to income tax legislation. Accompanying this document is a Windows shortcut (LNK) file with the same name as the archive: Перерасчет заработной платы 01.10.2025.
This LNK file executes the backdoor DLL (adobe.dll) through a legitimate Microsoft binary, rundll32.exe, employing a living-off-the-land (LotL) technique commonly used by sophisticated threat actors.
Backdoor Capabilities: Stealth and Data Theft
Once executed, CAPI Backdoor performs multiple tasks while maintaining stealth:
- Checks for administrator privileges
- Gathers a list of installed antivirus products
- Opens the decoy document as a distraction
- Connects to a remote server (91.223.75[.]96) to receive additional commands
The received commands enable the malware to:
- Steal credentials and data from web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox
- Capture screenshots
- Collect system information
- Enumerate folder contents and exfiltrate them to the remote server
Evasion and Persistence Mechanisms
CAPI Backdoor employs several checks to determine if it is running in a virtual environment or on a real host. For persistence, it uses two methods:
- Creating a scheduled task
- Placing a LNK file in the Windows Startup folder to automatically launch the backdoor DLL stored in the Windows Roaming folder
- These measures ensure that the malware remains active even after system reboots.
Target Attribution and Indicators
Experts link the campaign to the Russian automobile sector due to the use of the domain carprlce.ru, likely impersonating the legitimate carprice.ru.
The malware itself is a .NET DLL designed primarily as a stealer, establishing persistence for continued malicious operations while exfiltrating sensitive information.
