CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CAPI Backdoor Targets Russian Auto and E-Commerce Firms via .NET Malware

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new campaign targeting the Russian automobile and e-commerce sectors uses a previously undocumented .NET malware, CAPI Backdoor. The attack chain involves phishing emails with ZIP archives containing a decoy document and a malicious Windows shortcut file. The malware, disguised as 'adobe.dll', uses legitimate Microsoft binaries to execute and establish persistence. It can steal data from browsers, take screenshots, and exfiltrate information. The campaign includes a domain impersonating a legitimate Russian automotive site.

Timeline

  1. 18.10.2025 14:41 1 articles · 23h ago

    CAPI Backdoor Campaign Targets Russian Auto and E-Commerce Firms

    A new campaign targeting the Russian automobile and e-commerce sectors uses a previously undocumented .NET malware, CAPI Backdoor. The attack chain involves phishing emails with ZIP archives containing a decoy document and a malicious Windows shortcut file. The malware, disguised as 'adobe.dll', uses legitimate Microsoft binaries to execute and establish persistence. It can steal data from browsers, take screenshots, and exfiltrate information. The campaign includes a domain impersonating a legitimate Russian automotive site.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

GPUGate Malware Campaign Targets IT Firms in Western Europe

A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS) and Odyssey. The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake Homebrew, LogMeIn, and TradingView platforms. These platforms impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware and Odyssey. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.

Open in new tab