SEQRITE Labs Uncovers “CAPI Backdoor” Campaign Targeting Russia’s Automobile and E-Commerce Sectors
Ddos 
Infection Chain | Image: SEQRITE Labs Research Team
Researchers at SEQRITE Labs have uncovered a targeted spear-phishing campaign aimed at organizations in Russia’s automobile and e-commerce industries. The operation, active since early October 2025, deploys a previously undocumented .NET-based backdoor dubbed CAPI, designed for credential theft, system reconnaissance, and persistent access. The attack chain uses tax-related decoy documents to lure employees and executes the payload through rundll32.exe, a legitimate Windows binary, to evade detection.
The infection begins with a malicious ZIP archive named Перерасчет заработной платы 01.10.2025 — which translates to Payroll Recalculation as of October 1, 2025. Inside the ZIP, analysts found both LNK and PDF files, a common spear-phishing tactic to disguise executable payloads as legitimate business documents.
“The ZIP file contained a malicious LNK named Перерасчет заработной платы 01.10.2025.lnk… responsible for execution of the malicious .NET implant using the LOLBIN known as rundll32.exe.”
Once executed, the LNK launches the DLL implant via rundll32.exe, establishing an encrypted connection to the attacker’s command-and-control (C2) infrastructure hosted on TCP port 443.
The spear-phishing attachment included decoy documents mimicking official Russian tax notifications. The main file, Уведомление для налоговой №P4353.pdf (Notification for the Tax Office No. P4353), outlines purported tax changes beginning October 1, 2025.
After infection, the adobe.dll (also referred to as client6.dll) implant is executed, revealing a robust set of functions for system surveillance, credential harvesting, and persistence.
“Upon analyzing the binary, we found multiple interesting functionalities present inside the .NET implant known as CAPI.”
Key capabilities include:
- Privilege Verification: The IsAdmin function checks whether the binary has administrator-level privileges using the Security Identifier.”
- Antivirus Enumeration: The av function checks all installed antivirus software using the query SELECT * FROM AntiVirusProduct via WMI and returns the list to the C2 server.
- Credential Theft: Three dedicated functions — dmp1, dmp2, and dmp3 — systematically collect Edge, Chrome, and Firefox data, including bookmarks, cookies, encrypted keys, and browsing history, storing them in compressed ZIP archives (edprofile.zip, chprofile_safe.zip, ffprofile_safe.zip) before exfiltration. The data is sent to the C2 server after being stored into a ZIP file.
- Screenshot Capture: The screen function takes a screenshot of the current user’s screen and marks the date and time before sending it to the C2 server.
CAPI includes an extensive anti-analysis module designed to detect whether it is running inside a virtual machine (VM) — a common environment for malware analysis.
The function IsLikelyVm uses different checks such as Hypervisor presence, registry paths, BIOS strings, disk vendors, and MAC address prefixes associated with virtual machines.
Checks include:
- Hypervisor detection via Win32_ComputerSystem
- Registry inspection for VM-related keys
- BIOS and Plug-and-Play device markers
- GPU and Disk vendor validation
- OEM manufacturer verification (e.g., DELL, HP, LENOVO)
This comprehensive detection logic allows the malware to terminate itself in analysis environments, reducing exposure to security researchers.
To ensure long-term presence, CAPI employs two persistence mechanisms:
- Startup LNK creation: The persist1 function copies the implant to the Microsoft folder under the user’s roaming AppData and creates a Microsoft.lnk in the Startup folder pointing to rundll32.exe.
- Scheduled Task registration: The persist2 function builds a new task definition named AdobePDF, configured to trigger one hour after creation and repeat every hour for seven days.
These overlapping methods guarantee re-execution even if the initial malware file is deleted or quarantined.
SEQRITE’s network analysis identified two separate infrastructures linked to CAPI operations:
- One domain generated dynamically through a Domain Generation Algorithm (DGA)
- Another hosted under ASN 39087 (P.a.k.t LLC) used for data exfiltration
The malicious infrastructure was initially hosted under ASN 197695 (AS-REG), later shifting to ASN 39087 under P.a.k.t LLC as the implant began exfiltrating stolen information.
The transition between these networks indicates deliberate infrastructure rotation, a hallmark of professional threat operations designed to sustain campaigns under scrutiny.
Related Posts:
- Doctors warn that medical implants may be the hacker’s future goals
- LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks
- Microsoft Announces Critical Change to .NET Installer Distribution Domains
- Operation Silk Lure: Chinese Espionage Targets FinTech with Malicious Resume LNK to Implant ValleyRAT
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
