Operation MotorBeacon : Threat Actor targets Russian Automotive Sector using .NET Implant

SEQRITE Labs uncovered a targeted spear-phishing campaign (ZIP with LNK and decoy PDF) aimed at Russia's automobile and e-commerce sectors that deploys a .NET DLL backdoor named "CAPI Backdoor." The implant, executed via rundll32.exe, performs browser credential harvesting (Chrome/Edge/Firefox), screenshots, system discovery including VM detection, and persistence via startup LNK and scheduled tasks; it communicates with C2 at carprlce.ru and 91.223.75.96. The report contains technical analysis, IOCs (file hashes, domain, IP), and mapped MITRE ATT&CK techniques.