New .NET “CAPI Backdoor” Targets Russian Auto & E-Commerce via Phishing ZIPs

Introduction: what is “CAPI Backdoor”?

Researchers have documented a previously unknown .NET backdoor dubbed “CAPI Backdoor” used in a campaign that likely targets Russian automotive and e-commerce organizations. The intrusion starts with phishing emails carrying a ZIP archive; inside, a malicious LNK launches a .NET DLL via the signed Windows binary rundll32.exe (a classic living-off-the-land technique) to blend in with legitimate activity. The malware focuses on credential and data theft, host profiling, screen capture, and persistence.

In brief

• Initial access: spear-phishing ZIP with a Russian-language lure themed around income-tax changes; archive name: “Перерасчёт заработной платы 01.10.2025” (Payroll recalculation). The ZIP was first seen on October 3, 2025 (VirusTotal submission).
• Execution: LNK runs adobe.dll / client6.dll through rundll32.exe (ATT&CK T1218.011).
• Capabilities: browser data theft (Chrome/Edge/Firefox), screenshots, system reconnaissance, AV enumeration, VM/analysis checks, C2 tasking.
• Persistence: Startup-folder LNK + Scheduled Task repeating hourly.
• Infrastructure / IOCs: domain carprlce[.]ru (look-alike of carprice[.]ru) and C2 IP 91.223.75[.]96.
• Attribution: no actor attribution yet; targeting hints at Russian-language industries.

Context / history / connections

Using signed Windows binaries to proxy execution (Signed Binary Proxy Execution) is a well-established adversary tactic because it evades basic application control and reputation-based defenses. In particular, rundll32.exe is one of the most abused binaries for DLL execution and masquerading. Red Canary and MITRE ATT&CK both document it as a common technique (T1218.011).

Likewise, spear-phishing attachments (T1566.001) remain a top initial access vector across sectors; the campaign’s ZIP-with-LNK delivery fits well within that pattern.

Technical analysis / details of the backdoor

Delivery chain.

• ZIP → LNK (same filename as the archive) → rundll32.exe invoking the .NET DLL export (reported as config). The lure opens a PDF decoy to reduce suspicion while the implant initializes.

Core functions.

• Privilege check (IsAdmin) and AV product enumeration via WMI (SELECT * FROM AntiVirusProduct).
• C2 channel over TCP/443 to 91.223.75[.]96 with a command loop that can exfiltrate data, execute tasks, list folders, and disconnect.
• Data theft routines (dmp1/2/3) harvest Edge (Local State, encrypted keys), Chrome (Bookmarks, History, Favicons, etc.) and Firefox (profiles, extensions, caches), packaging them into ZIPs (edprofile.zip, chprofile_safe.zip, ffprofile_safe.zip).
• Screen capture with timestamp overlay.
• VM/analysis evasion: checks hypervisor presence, SMBIOS, PnP devices, video/drive vendors, MAC OUI for VM vendors, GPU presence, battery/chassis, OEM strings (e.g., DELL/HP/LENOVO).
• Persistence:
  • Startup LNK pointing rundll32.exe at the copied DLL under %APPDATA%\Microsoft\ (Roaming).
  • Scheduled Task named AdobePDF: first run +1 hour, then hourly for seven days, launching rundll32.exe with the implant path.

Why rundll32.exe matters here.
Abusing rundll32.exe helps attackers blend with normal OS behavior and bypass some controls; it’s cataloged by the LOLBAS project and ATT&CK T1218.011 as a high-signal execution proxy. Defenders should consider detections that look at parent/child, command-line, and network behavior rather than the binary alone.

Practical consequences / risks

• Account takeover & session hijacking from stolen browser data (logins, cookies, tokens).
• Business email compromise, store/admin panel abuse, and payment fraud for e-commerce operators.
• Operational disruption if scheduled tasks and startup artifacts enable re-entry after cleanup.
• Reduced detectability due to LotL tradecraft and common binaries.

Operational recommendations / what to do next

Immediate hunting (query & triage ideas)

• Look for rundll32.exe with command lines loading non-system DLLs from user profiles / Roaming\Microsoft or paths containing adobe.dll / client6.dll. Correlate with network egress to 91.223.75[.]96 or requests involving carprlce[.]ru.
• Search for Startup folder LNKs pointing to rundll32.exe and a non-system DLL; enumerate Scheduled Tasks named AdobePDF or tasks created recently that execute rundll32.exe.
• Examine ZIP attachments matching “Перерасчёт заработной платы 01.10.2025” and LNK execution events following email delivery. Map findings to ATT&CK T1566.001 and T1218.011 for reporting.

Mitigation & hardening

• Email security: block ZIP/LNK combo attachments to high-risk groups; enforce MFA and conditional access to limit damage from session theft.
• Application control: restrict rundll32.exe network access and DLL load origins; alert on rundll32.exe + outbound network. Use LOLBAS-informed detections.
• EDR detections: create rules for rundll32.exe spawning, screen capture API usage, and WMI AntiVirusProduct queries by untrusted processes.
• Browser secrets protection: prefer browser isolation, password managers with hardware-backed keys, and token binding where available to reduce token theft impact.
• IR playbook: if indicators found, isolate host, collect full process tree, scheduled tasks, startup items, browser profile directories, and netflow; rotate credentials/tokens.

Key IOCs (from vendor analysis)

• Domain: carprlce[.]ru
• IP: 91.223.75[.]96
• Hashes: adobe.dll MD5 c0adfd84dfae8880ff6fd30748150d32; LNK MD5 957b34952d92510e95df02e3600b8b21; ZIP MD5 c6a6fcec59e1eaf1ea3f4d046ee72ffe.

Differences / comparisons with other cases

While LNK-to-DLL via rundll32 is common across many families, CAPI Backdoor’s blend of browser-profile looting, scheduled task cadence, and broad VM heuristics is specific to this campaign. It resembles generic stealer + remote tasking tradecraft rather than a heavyweight RAT, with a focus on credential/session collection typical of e-commerce targeting. The reliance on LotL for execution/persistence is consistent with widely observed attacker behavior in recent threat-detection reporting.

Summary / key takeaways

• A new .NET backdoor (CAPI) was observed in October 2025 targeting Russian auto/e-commerce via ZIP→LNK→rundll32.
• It steals browser data, captures screens, checks for VMs, and persists via Startup LNK and hourly scheduled tasks.
• Defend by blocking risky attachment types, monitoring rundll32 patterns, tightening DLL execution controls, and hunting for the provided IOCs.

Sources / bibliography

1. Seqrite Labs — Operation MotorBeacon: Threat Actor targets Russian Automotive Sector using .NET Implant (Oct 17, 2025). Primary technical source. (Seqrite)
2. The Hacker News — New .NET CAPI Backdoor Targets Russian Auto and E-Commerce Firms via Phishing ZIPs (Oct 18, 2025). Campaign summary and context. (The Hacker News)
3. MITRE ATT&CK — T1218.011: rundll32 (Signed Binary Proxy Execution). (MITRE ATT&CK)
4. LOLBAS Project — rundll32.exe abuse & detections. (lolbas-project.github.io)
5. Red Canary — Rundll32 technique overview; LotL tradecraft prevalence. (Red Canary)