Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

CAPI Backdoor phishing ZIP campaign targeting Russian automobile and e-commerce sectors

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A new CAPI Backdoor campaign is targeting Russian automobile and e-commerce sectors, using phishing emails with ZIP archives to deliver malware that can steal browser data and persist for later abuse. The initial lure uses a Russian-language decoy document and a matching LNK file to launch the implant through rundll32.exe. The backdoor connects to 91.223.75[.]96 for commands, screenshots, system information, and exfiltration. The campaign was tied to a ZIP artifact uploaded to VirusTotal on October 3, 2025.

Related Happenings

Tropic Trooper trojanized SumatraPDF remote-access campaign

Campaign
First: 24.04.2026 12:29 Last: 24.04.2026 12:29 Sources 1

About this happening: **Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...

Open Happening

SloppyLemming BurrowShell and Rust-based keylogger activity

Malware Activity
First: 03.03.2026 08:53 Last: 03.03.2026 08:53 Sources 1

About this happening: **SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...

Open Happening

Bloody Wolf / Stan Ghouls NetSupport RAT spear-phishing campaign

Campaign
First: 09.02.2026 12:58 Last: 09.02.2026 12:58 Sources 1

About this happening: The **Bloody Wolf / Stan Ghouls** operation is actively running a **spear-phishing campaign** against **Uzbekistan and Russia**, and the activity matters because it is delivering...

Open Happening

Multi-stage phishing campaign targeting users in Russia with Amnesia RAT and ransomware

Campaign
First: 24.01.2026 13:09 Last: 24.01.2026 13:09 Sources 1

About this happening: A **multi-stage phishing campaign** is targeting **users in Russia**, delivering **Amnesia RAT** and **ransomware** that enable **credential theft**, **remote control**, and destr...

Open Happening

Operation SkyCloak phishing backdoor campaign targeting Russia and Belarus defense sector

Campaign
First: 04.11.2025 12:49 Last: 04.11.2025 12:49 Sources 1

About this happening: The **Operation SkyCloak** campaign is using **phishing emails** with weaponized attachments to seed a **persistent backdoor** on likely **defense-sector** systems in **Russia and...

Open Happening

Timeline

  1. 18.10.2025 14:41 1 articles · 7mo ago

    CAPI Backdoor ZIP artifact appears on VirusTotal

    Detection Ioc Update

    A ZIP artifact associated with the CAPI Backdoor campaign is uploaded to VirusTotal and contains a decoy Russian-language document about income tax legislation plus a Windows shortcut named "Перерасчет заработной платы 01.10.2025" that launches the .NET implant "adobe.dll" through the legitimate Microsoft binary "rundll32.exe".

    Show sources
    Open in new tab
  2. 18.10.2025 14:41 2 articles · 7mo ago

    Seqrite Labs publicly describes the CAPI Backdoor phishing campaign

    Initial Disclosure

    Seqrite Labs describes a new campaign likely targeting Russian automobile and e-commerce sectors with the previously undocumented .NET malware CAPI Backdoor. The phishing chain uses ZIP archives, a decoy Russian-language document, and a matching LNK file to launch the implant with rundll32.exe; the backdoor connects to 91.223.75[.]96, steals data from Google Chrome, Microsoft Edge, and Mozilla Firefox, takes screenshots, collects system information, enumerates folders, and establishes persistence with scheduled tasks and a Startup-folder LNK.

    Show sources
    Open in new tab