Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
CAPI Backdoor: New .NET Malware Targets Russian Auto and E-commerce Firms
Advertisements

New .NET Malware Campaign Identified

Cybersecurity researchers have uncovered a new campaign targeting the Russian automobile and e-commerce sectors. The operation utilizes a previously undocumented .NET malware strain that has been named CAPI Backdoor. According to an analysis by Seqrite Labs, the threat actors initiate the attack by distributing phishing emails containing malicious ZIP archives designed to compromise target systems. The research is based on a specific ZIP artifact that was uploaded to the VirusTotal platform on October 3, 2025, providing a clear basis for the investigation into the malware’s delivery and execution methods.

The attack chain is engineered to deceive recipients into executing the malware. Once the user opens the malicious ZIP archive, they find two primary components. The first is a decoy document written in Russian, which masquerades as an official notification concerning income tax legislation. This serves as a social engineering lure. The second, and more critical, component is a Windows shortcut (LNK) file. This file shares the same name as the ZIP archive, “Перерасчет заработной платы 01.10.2025,” which translates to “Salary recalculation 01.10.2025.”

Execution via Living-off-the-Land Technique

The core of the infection process relies on the malicious LNK file. When a user clicks on this shortcut, it triggers the execution of the .NET implant, which is a file named “adobe.dll”. The threat actors do not use a custom loader but instead employ a legitimate Microsoft binary, “rundll32.exe”, to run the malicious DLL. This specific method is a well-known living-off-the-land (LotL) technique. By using a trusted, native Windows process to execute their code, attackers can often evade detection by security software that might otherwise flag a suspicious or unknown executable. This approach demonstrates a calculated effort by the operators to remain stealthy while deploying the CAPI Backdoor on compromised networks.

Source: https://thehackernews.com/2025/10/new-net-capi-backdoor-targets-russian.html