(ptsecurity.com) CapFix Threat Group Deploys Evolved CapDoor Backdoor Against Russian Industrial and Aviation Organizations

orlysec@swecyb.com

(ptsecurity.com) CapFix Threat Group Deploys Evolved CapDoor Backdoor Against Russian Industrial and Aviation Organizations

CapFix threat group targets Russian industrial/aviation sectors with evolved CapDoor backdoor, exploiting CVE-2025-49113 in Roundcube Webmail to compromise legitimate infrastructure. Secondary payloads include SectopRAT and AsyncRAT.

In brief - Russian APT CapFix deploys updated CapDoor backdoor via Roundcube exploit (CVE-2025-49113) against industrial/aviation targets. Uses DLL sideloading, ChaCha20 C2 encryption, and delivers RAT payloads. Phishing lures shifted from crypto/hotel themes to government impersonation.

Technically - CapDoor employs multi-stage DLL sideloading (orchestrator/watchdog/inject DLLs) via signed executables. Shellcode uses FNV-1 hashing for API resolution, MurmurHash3 (seed 0xE5BBB) for C2 tasks. ChaCha20 encrypts communications. Persistence via HKCU Run. Supports PowerShell, file execution (EXE/DLL/MSI), screenshots. Evolved from PE to shellcode delivery, removed GHOSTPULSE/HIJACKLOADER dependencies.

Source: https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/an-alarm-you-can-t-ignore-how-capfix-attacks-russian-organizations

#Cybersecurity #ThreatIntel