BearerX Tech News
📰 Latest Articles 🎙️ Podcast Feed 📡 RSS Feed

Tech News

October 18, 2025 | Cybersecurity

🎤 Listen to this Article

CAPI Backdoor Campaign Intensifies Targeting Russian Businesses; Silver Fox Expands Attacks Globally

October 18, 2025 – Cybersecurity analysts are reporting a significant escalation in malicious activity, primarily driven by a new .NET malware strain, the “CAPI Backdoor,” and an expansion of operations by the established threat group, Silver Fox. Today’s developments highlight the continued sophistication of cyberattacks and the evolving tactics employed by malicious actors.

CAPI Backdoor Campaign: A Focused Assault on Russian Enterprises

The most pressing cybersecurity concern today centers around a previously unknown .NET malware, now being referred to as the “CAPI Backdoor.” This malware is actively targeting organizations within the Russian automobile and e-commerce sectors through sophisticated phishing campaigns. Initial reports, stemming from a joint alert issued by the European Cyber Security Agency (ECSA) and the US Cybersecurity and Infrastructure Security Agency (CISA), indicate a sustained and targeted effort.

The attack methodology involves distributing ZIP archives containing a deceptive Russian-language document. Alongside this document, the archives also include a malicious Windows shortcut file (LNK). This LNK file utilizes the legitimate rundll32.exe process to execute the malware’s payload, which is a file named “adobe.dll”. This technique is a classic example of “living-off-the-land” (LotL), where attackers leverage existing, trusted system processes to conceal their malicious activity.

According to ECSA’s preliminary analysis, the CAPI Backdoor’s primary objective appears to be establishing persistent access to compromised systems. The malware operates by first verifying if it has administrator privileges. If granted, it then performs a detailed inventory of installed antivirus products on the affected system. This information is likely used to circumvent defenses or to further tailor the attack.

Crucially, the CAPI Backdoor establishes a covert connection to a command-and-control (C2) server located at the address 91.223.75[.]96. This server is believed to be used for receiving instructions from the attackers and for exfiltrating stolen data. The exact nature of the data being stolen remains under investigation, but early indicators suggest it may include sensitive customer data, financial information, and intellectual property.

The ECSA and CISA have issued warnings to organizations operating in the Russian automobile and e-commerce sectors, urging them to implement enhanced security measures, including:

Silver Fox Expands Global Reach with HoldingHands RAT Attacks

Adding to the cybersecurity landscape today is the confirmed expansion of operations by the threat group Silver Fox. Previously known for campaigns targeting organizations in China and Taiwan, Silver Fox has now broadened its attacks to include organizations in Japan and Malaysia, utilizing their signature HoldingHands RAT (also known as Gh0stBins).

The attack vector remains consistent with previous Silver Fox campaigns: phishing emails containing malicious PDF attachments. These attachments contain links that, when clicked, lead to the download and execution of the HoldingHands RAT. The RAT provides attackers with remote control access to compromised systems, allowing them to steal data, install additional malware, and disrupt operations.

The targeting of Japan and Malaysia represents a significant geographic expansion for Silver Fox. While the specific motivations behind this expansion are not yet fully understood, analysts believe it could be driven by a desire to diversify their operations or to target specific industries within these countries. The group’s consistent use of the HoldingHands RAT suggests a deliberate strategy focused on gaining persistent access to compromised systems.

Technical Analysis and Ongoing Investigation

Technical analysis of the CAPI Backdoor and the HoldingHands RAT is ongoing. Researchers are working to understand the full capabilities of these malware strains, identify potential vulnerabilities, and develop effective countermeasures. Specifically, efforts are focused on:

The ECSA and CISA are collaborating with international partners to share intelligence and coordinate a global response to these threats. The ongoing investigation highlights the importance of information sharing and collaboration in the fight against cybercrime.

Summary of Developments – October 18, 2025

Today’s cybersecurity news is dominated by two key developments: the intensification of the CAPI Backdoor campaign targeting Russian businesses, and the expansion of operations by the Silver Fox threat group, now active in Japan and Malaysia. Both incidents underscore the ongoing sophistication of cyberattacks and the need for organizations to maintain a proactive and layered security posture. The focus remains on technical analysis, victim identification, and international collaboration to mitigate the immediate risks and prevent further attacks. The situation remains fluid, and further updates will be provided as more information becomes available.

Disclaimer: This blog post was automatically generated using AI technology based on news summaries.
The information provided is for general informational purposes only and should not be considered as
professional advice or an official statement. Facts and events mentioned have not been independently
verified. Readers should conduct their own research before making any decisions based on this content.
We do not guarantee the accuracy, completeness, or reliability of the information presented.