Cybersecurity researchers have uncovered a fresh phishing campaign that appears aimed at organizations in Russia’s automotive and e-commerce sectors, using a previously unseen .NET implant, named CAPI Backdoor. According to Seqrite Labs, attackers distributed a ZIP attachment to trigger infection, and the ZIP artifact was uploaded to VirusTotal on October 3, 2025. image import–phishing-zip-sample
Attack chain and delivery
The malicious campaign lures victims with a Russian-language decoy document, presented as a tax notice, bundled inside the ZIP. A Windows shortcut file, LNK, bearing the same name as the ZIP, “Перерасчет заработной платы 01.10.2025”, is used to launch the infection. The LNK executes a .NET DLL, “adobe.dll”, via the legitimate Microsoft binary, “rundll32.exe“, a living-off-the-land technique commonly abused by threat actors.
Seqrite’s analysis shows the backdoor performs a range of reconnaissance and data-theft actions, including, checks for administrator privileges, enumeration of installed antivirus products, and opening the decoy document to distract the user while malicious activity runs in the background.
Capabilities and persistence
CAPI Backdoor communicates with a remote command-and-control server at “91.223.75[.]96” to receive instructions. Its reported capabilities include, stealing data from web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox, capturing screenshots, collecting system information, enumerating files and folders, and exfiltrating harvested data back to the attacker. The malware also attempts multiple anti-analysis checks to detect virtualized or sandboxed environments.
For persistence, the implant uses at least two methods, including creating a scheduled task, and placing a LNK file in the Windows Startup folder to automatically launch a copy of the DLL from the user’s Roaming profile folder. image import–persistence-mechanism
Attribution clue, assessment
Seqrite noted a possible targeting signal toward the automotive industry, because one of the domains associated with the campaign is named carprlce[.]ru, which appears to impersonate the legitimate site carprice[.]ru. While domain name similarity is not definitive proof, it offers contextual evidence that the threat actor may be focusing on auto sector victims.
