New .NET CAPI Backdoor Targets Russian Auto and E-Commerce Firms via Phishing ZIPs

Cybersecurity researchers have shed light on a new campaign that has likely targeted the Russian automobile and e-commerce sectors with a previously undocumented .NET malware dubbed CAPI Backdoor.

The LNK file, which has the same name as the ZIP archive (i.e., “Перерасчет заработной платы 01.10.2025”), is responsible for the execution of the .NET implant (“adobe.dll”) using a legitimate Microsoft binary named “rundll32.exe,” a living-off-the-land (LotL) technique known to be adopted by threat actors.

The backdoor, Seqrite noted, comes with functions to check if it’s running with administrator-level privileges, gather a list of installed antivirus products, and open the decoy document as a ruse, while it stealthily connects to a remote server (“91.223.75[. ]96”) to receive further commands for execution.

It also attempts to run a long list of checks to determine if it’s a legitimate host or a virtual machine, and makes use of two methods to establish persistence, including setting up a scheduled task and creating a LNK file in the Windows Startup folder to automatically launch the backdoor DLL copied to the Windows Roaming folder.

To read the complete article see: The Hacker News .