Seqrite Labs has uncovered a new targeted cyber-espionage campaign dubbed ‘Operation MotorBeacon,’ aimed at compromising entities in Russia’s automotive and automobile-commerce industry. The campaign leverages a previously undocumented .NET-based malware implant named ‘CAPI Backdoor,’ capable of stealing sensitive data and establishing long-term persistence on infected systems.
The attack was spotted on 3 October 2025, when Seqrite researchers discovered a suspicious ZIP archive uploaded to VirusTotal. The archive, titled ‘Перерасчет заработной платы 01.10.2025’ (‘Payroll Recalculation as of October 1, 2025’), is believed to have been distributed through spear-phishing emails. It contains a malicious LNK file of the same name, designed to deceive recipients into executing it. Upon execution, the LNK leverages the Windows native utility rundll32.exe to run a concealed .NET DLL file identified as the final stage payload, which is the CAPI Backdoor, also observed under the names adobe.dll and client6.dll.
Once activated, the CAPI Backdoor communicates with a remote command-and-control server and acts as a data stealer, while simultaneously implementing persistence mechanisms to maintain access even after reboots or partial cleanup. The implant, written in .NET, ensures its persistence by using two techniques.
The first technique involves the malware retrieving its own location using the .NET GetExecutingAssembly().Location method, then copying itself into a hidden folder named “Microsoft” within the user’s Roaming AppData directory. It then proceeds to create a shortcut file, Microsoft.lnk, in the Startup folder. This shortcut silently executes the backdoor via rundll32.exe every time the user logs into Windows.
The second method involves creating a scheduled task. The backdoor saves itself again in the Roaming Microsoft folder and then builds a scheduled task named AdobePDF using the Windows Task Scheduler. This task is configured to start one hour after creation and repeat hourly for a full week, each time executing rundll32.exe with the malicious DLL as its argument. The method reinforces persistence, especially if the Startup folder shortcut is discovered and removed.