Cybersecurity researchers have identified a previously undocumented .NET malware. CAPI backdoor.
According to Seqrite Labs, the attack chain includes distributing phishing emails with ZIP archives as a method of causing infection. The cybersecurity firm’s analysis is based on a ZIP artifact uploaded to the VirusTotal platform on October 3, 2025.
The archive contains decoy Russian language documents and Windows shortcut (LNK) files disguised as notifications related to the Income Tax Act.
The LNK file with the same name as the ZIP archive (i.e. “Перерасчет заработной платы 01.10.2025”) runs a .NET implant (“adobe.dll”) using the genuine Microsoft binary (LotL) technique called “rundll32.exe”. Known to be employed by threat actors.
According to Seqrite, the backdoor has the ability to check if it is running with administrator-level privileges, collect a list of installed antivirus products, and open a decoy document as a ruse, while secretly connecting to a remote server (91.223.75(.)96) to receive further commands for execution.
This command allows CAPI backdoors to steal data from web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox. Take a screenshot. Collect system information. Enumerate the contents of a folder. It then extracts the results and sends them back to the server.
It also tries to perform a long list of checks to determine whether it is a legitimate host or a virtual machine. It also uses two methods to establish persistence. This includes configuring scheduled tasks and creating an LNK file in the Windows Startup folder to automatically launch backdoor DLLs that are copied to the Windows Roaming folder.
Seqrite’s assessment that this actor is targeting the Russian automotive sector is due to the fact that one of the domains linked to the campaign is named carprlce(.)ru, which appears to be masquerading as the legitimate “carprice(.)ru”.
“The malicious payload is a .NET DLL that acts as a stealer and establishes persistence against future malicious activity,” researchers Priya Patel and Subhajeet Singha said.
