Executive Summary

A newly discovered .NET-based backdoor, known as CAPI Backdoor, is actively targeting Russian automobile and e-commerce organizations through a sophisticated phishing campaign. The attack leverages ZIP archives delivered via email, containing a malicious Windows shortcut (LNK) and a decoy Russian-language document. Upon execution, the LNK file deploys a .NET stealer and backdoor, enabling credential theft, system reconnaissance, and persistent remote access. The campaign demonstrates advanced evasion tactics, including anti-analysis checks and the use of legitimate Windows binaries, and is notable for its precise targeting of Russian entities through domain impersonation and culturally relevant lures. This advisory provides a comprehensive technical breakdown, observed tactics, and actionable mitigation strategies to help organizations defend against this evolving threat.

Threat Actor Profile

The operators behind the CAPI Backdoor campaign have not been definitively attributed to any known advanced persistent threat (APT) group. However, the campaign exhibits hallmarks of a regionally focused, well-resourced threat actor. The use of Russian-language phishing lures, domain impersonation of prominent Russian automotive brands (such as the fake carprlce[.]ru domain mimicking carprice[.]ru), and the targeting of sectors critical to the Russian economy suggest a deliberate and strategic approach. The attackers demonstrate operational security awareness, leveraging anti-analysis techniques and living-off-the-land binaries to evade detection. While the campaign’s sophistication is notable, the lack of public attribution leaves open the possibility of both state-sponsored and highly organized cybercriminal involvement.

Technical Analysis of Malware/TTPs

The infection chain begins with a phishing email containing a ZIP archive. This archive includes a decoy document, typically themed around Russian payroll or tax notifications, and a Windows shortcut (LNK) file named identically to the ZIP. When the LNK file is executed, it invokes rundll32.exe—a legitimate Windows utility— to load a malicious .NET DLL named adobe.dll from the user’s Roaming directory. This technique, known as living-off-the-land, allows the malware to blend in with normal system activity and bypass many endpoint security controls.

Upon execution, CAPI Backdoor performs a series of privilege checks to determine if it is running with administrative rights. It then enumerates installed antivirus products to tailor its behavior and avoid detection. The malware opens the decoy document to distract the user while it establishes persistence and initiates command-and-control (C2) communications with the hardcoded IP address 91.223.75[.]96.

The backdoor’s capabilities are extensive. It harvests credentials and autofill data from popular browsers including Google Chrome, Microsoft Edge, and Mozilla Firefox. It captures screenshots, collects detailed system information, and enumerates the contents of user folders. All exfiltrated data is transmitted to the remote C2 server. To ensure ongoing access, the malware creates a scheduled task and drops a LNK file in the Windows Startup folder, guaranteeing execution upon system reboot.

Anti-analysis features are embedded throughout the malware. It checks for the presence of virtual machines and sandbox environments, terminating its activity if such conditions are detected. This significantly complicates efforts by security researchers and automated analysis platforms to dissect the malware.

The campaign’s tactics, techniques, and procedures (TTPs) align with several MITRE ATT&CK techniques, including phishing with malicious attachments (T1566.001), user execution via LNK files (T1204.002), DLL side-loading (T1574.002), persistence via scheduled tasks (T1053.005) and startup folder (T1547.001), credential access from browsers (T1555.003), and exfiltration over C2 channels (T1041). The use of rundll32.exe for DLL execution (T1218.011) and virtualization/sandbox evasion (T1497) further underscores the campaign’s technical sophistication.

Exploitation in the Wild

The CAPI Backdoor campaign has been observed in active exploitation, with initial samples uploaded to VirusTotal on October 3, 2025. The phishing emails are highly targeted, leveraging Russian-language content and themes relevant to payroll and tax recalculation, increasing the likelihood of user interaction. The ZIP archives and LNK files are named to mimic legitimate business communications, such as "Перерасчет заработной платы 01.10.2025" (Payroll Recalculation 01.10.2025).

The campaign’s infrastructure includes the impersonation of well-known Russian automotive domains, specifically carprlce[.]ru, which closely resembles the legitimate carprice[.]ru. This domain is used to lend credibility to the phishing emails and potentially to host additional malicious payloads or collect exfiltrated data.

No evidence currently links the campaign to a specific software vulnerability or CVE. Instead, the attack relies on social engineering and user execution, making it broadly effective against any Windows system capable of running .NET DLLs via rundll32.exe. The campaign’s focus on Russian organizations, combined with its technical complexity, suggests a high degree of planning and reconnaissance.

Victimology and Targeting

The primary victims of the CAPI Backdoor campaign are organizations within the Russian automobile and e-commerce sectors. The targeting is highly selective, with phishing lures crafted in Russian and referencing local business processes such as payroll and tax notifications. The use of domain impersonation further narrows the focus to entities familiar with the legitimate brands being mimicked.

The attack does not exploit a specific software vulnerability, but rather leverages user behavior and trust in familiar business communications. Any Windows system, including Windows 7, 8, 10, 11, and Windows Server editions, is susceptible if users interact with the malicious ZIP and LNK files. The malware’s ability to steal browser credentials and system information poses a significant risk to both organizational data and individual user privacy.

The campaign’s operational security, including anti-analysis measures and the use of legitimate system binaries, indicates a threat actor with a strong understanding of both technical and human factors in cyber defense. The lack of public attribution and the campaign’s regional focus suggest ongoing risk to Russian organizations, with potential for expansion to other sectors or geographies.

Mitigation and Countermeasures

Organizations are advised to implement a multi-layered defense strategy to mitigate the risk posed by the CAPI Backdoor campaign. Network administrators should immediately block outbound connections to 91.223.75[.]96 and monitor for any traffic to suspicious Russian-registered domains such as carprlce[.]ru. Endpoint security teams should search for the presence of adobe.dll in user Roaming directories and scrutinize LNK files in Startup folders, particularly those with Russian payroll-related names.

Scheduled tasks should be audited for entries referencing DLLs in user directories, as these may indicate persistence mechanisms established by the malware. Security awareness training is critical; users must be educated on the dangers of opening ZIP attachments and LNK files, especially those referencing payroll or tax topics in Russian. Enhanced monitoring for the execution of rundll32.exe with unusual DLL arguments can help detect and prevent malicious activity.

Organizations should ensure that endpoint protection solutions are configured to detect and block suspicious LNK and DLL activity, and that all systems are kept up to date with the latest security patches. Regular backups and incident response plans should be reviewed and tested to ensure rapid recovery in the event of compromise.

References

The following sources provide additional technical details and context for the CAPI Backdoor campaign:

The Hacker News - New .NET CAPI Backdoor Targets Russian Auto and E-Commerce Firms via Phishing ZIPs: https://thehackernews.com/2025/10/new-net-capi-backdoor-targets-russian.html

Seqrite Labs (original research): https://www.seqrite.com/

WIU Cybersecurity Center News: https://www.wiu.edu/cybersecuritycenter/cybernews.php

The Cyber Security Hub on X: https://x.com/TheCyberSecHub/status/1979514445010465087

LinkedIn Post by Kevin BK Tan: https://www.linkedin.com/posts/kevinbktan_new-net-capi-backdoor-targets-russian-auto-activity-7385307943199567872-MnyO

MITRE ATT&CK Techniques: https://attack.mitre.org/

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify emerging threats and strengthen their cyber resilience. For more information about how Rescana can help your organization manage cyber risk, or for any questions regarding this advisory, please contact us at ops@rescana.com.