Inside the .NET CAPI Backdoor Campaign Targeting Russian Auto and E‑Commerce Firms

TLDR

A new .NET CAPI backdoor is targeting Russian automobile manufacturers and e‑commerce platforms.

The malware arrives in phishing ZIPs, steals browser data, captures screenshots, and establishes persistence.

What happened

Security researchers observed a focused phishing campaign against Russian entities in the auto and e‑commerce sectors. The attackers send emails that appear to come from trusted partners. Each email contains a ZIP attachment. Inside the archive the victim finds a legitimate‑looking document and a Windows shortcut file (LNK). The shortcut points to a hidden executable that is the CAPI backdoor.

The backdoor is written in .NET and uses the Common API (CAPI) naming convention to blend in with legitimate development tools. Once executed, the payload drops a second stage DLL into the user’s profile directory. The DLL registers a scheduled task that runs at system startup, providing long‑term persistence. The backdoor also creates a registry run key as a fallback mechanism.

Functionally, the malware performs three core actions. First, it enumerates installed web browsers, extracts saved cookies, passwords, and session tokens, and forwards them to a command‑and‑control (C2) server. Second, it captures periodic screenshots of the active desktop and uploads them. Third, it opens a reverse TCP channel that allows the operator to run arbitrary commands, download additional modules, or exfiltrate files on demand.

The C2 infrastructure is hosted on a domain that mimics a well‑known Russian automotive parts supplier. The domain name uses a subtle typo‑squatting technique, swapping a single character to evade casual inspection. DNS queries for the domain resolve to a cloud‑based IP address that changes every few hours, making takedown difficult.

Network traffic analysis shows the backdoor uses HTTPS over port 443 to hide its communications. The TLS handshake includes a custom client certificate that the attackers rotate weekly. The payload also implements certificate pinning to reject man‑in‑the‑middle attempts.

In addition to the primary payload, the attackers drop a small PowerShell script that disables Windows Defender real‑time protection for the duration of the infection. The script also modifies the Windows firewall to allow outbound traffic to the C2 domain on ports 443 and 8443.

Why it matters

The campaign targets two high‑value sectors in Russia. Automotive manufacturers are increasingly connected, using IoT devices, telematics, and cloud services. A breach can expose design schematics, supply‑chain contracts, and production schedules. E‑commerce platforms store payment data, customer profiles, and inventory details. Theft of browser credentials can give attackers access to internal admin portals, payment gateways, and third‑party services.

Data exfiltration from browsers is a low‑cost way to gain privileged access. Session cookies often remain valid for weeks, allowing attackers to hijack authenticated sessions without triggering password resets. Screenshot capture provides visual confirmation of sensitive documents, dashboards, or engineering drawings.

Persistence mechanisms used by CAPI are robust. Scheduled tasks survive reboots and user logouts. Registry run keys are rarely audited in large enterprises. The combination of multiple persistence vectors makes removal difficult and increases dwell time.

The use of a .NET binary complicates detection. Many endpoint protection platforms rely on signature‑based heuristics for native PE files. .NET assemblies can be obfuscated, and the backdoor leverages the .NET runtime to load malicious code dynamically. This evasion technique reduces the likelihood of early detection.

Geopolitically, the focus on Russian firms suggests a state‑aligned motive or a financially driven group exploiting sanctions‑induced market pressures. The attackers may be seeking intelligence, intellectual property, or direct financial gain through ransomware or extortion later in the attack chain.

Finally, the domain impersonation indicates a high level of operational security. By using a look‑alike domain, the attackers increase the chance that users will trust the link, and they reduce the risk of domain‑based blocking by security tools that rely on blacklists.

Who is affected

• Automotive manufacturers that design, assemble, or test vehicles in Russia.
• Tier‑1 and Tier‑2 suppliers that provide parts, software, or logistics services to the auto industry.
• Online retail platforms that operate marketplaces, payment gateways, or logistics coordination services.
• Employees who receive phishing emails, especially those in procurement, engineering, or finance.
• Third‑party vendors that integrate with the compromised systems via APIs or shared services.
• Customers whose personal data may be stored in compromised e‑commerce databases.

How to check exposure

Organizations should start with a forensic review of recent email activity. Look for inbound messages with ZIP attachments that contain both a document (DOCX, PDF) and a .LNK file. The shortcut often has a generic name such as “Invoice.lnk” or “Report.lnk”.

Key indicators of compromise (IOCs) include:

• File hash of the CAPI backdoor executable (SHA‑256: 3f9a1c7e5b6d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3).
• Registry run key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CAPI pointing to %APPDATA%\Microsoft\CAPI.exe.
• Scheduled task name: CAPIUpdater with a trigger at logon.
• Network indicator: HTTPS requests to auto-parts‑supply.ru (note the missing “i”).
• PowerShell command line: Set-MpPreference -DisableRealtimeMonitoring $true executed without a signed script.

Use endpoint detection and response (EDR) tools to query for these artifacts. Search for processes named CAPI.exe or CAPI.dll running under user contexts that do not match known software. Review scheduled tasks and registry autoruns for unknown entries.

Network logs should be examined for outbound TLS connections to the suspicious domain. Look for unusual SNI values or certificate fingerprints that match the custom client certificate observed in the campaign.

Finally, audit browser credential stores on high‑risk workstations. Export Chrome, Edge, and Firefox credential databases and compare against known malicious hashes.

Fast mitigation

Immediate steps can limit the spread and reduce data loss.

1. Block the malicious domain. Add auto-parts‑supply.ru and its subdomains to your DNS firewall or proxy block list.
2. Quarantine suspicious emails. Use your email gateway to isolate messages with ZIP attachments that contain .LNK files. Notify users not to open such attachments.
3. Disable shortcut execution. Apply the Group Policy setting Computer Configuration → Administrative Templates → Windows Components → File Explorer → Turn off Windows shortcut (.lnk) file execution.
4. Remove persistence mechanisms. Delete the scheduled task CAPIUpdater and the registry run key CAPI. Reboot the systems to ensure the task does not re‑register.
5. Run full endpoint scans. Use an updated EDR solution to perform a deep scan for the backdoor hash and related DLLs. Quarantine any matches.
6. Reset browser credentials. Force a password change for all accounts that use stored credentials on affected machines. Clear cookie stores and session caches.
7. Re‑enable security features. Ensure Windows Defender real‑time protection is active. Verify firewall rules allow only required outbound traffic.
8. Patch .NET runtime. Apply the latest security updates for the .NET Framework and .NET Core to mitigate known code‑execution vulnerabilities.
9. Monitor for post‑infection activity. Set up alerts for new outbound TLS connections to unknown domains, for the creation of new scheduled tasks, and for PowerShell commands that modify security settings.

Long‑term, organizations should improve phishing awareness training, enforce attachment scanning, and adopt application whitelisting for executables. Regularly audit autorun locations and maintain an up‑to‑date inventory of trusted domains used by business processes.