The CapFix hacking group conducted a series of targeted attacks on Russian industrial and aircraft manufacturing companies. The attackers sent phishing emails with PDF and HTML attachments disguised as documents from the FSB, the Ministry of Defense, and other government agencies. The attacks were recorded by Positive Technologies specialists.
Inside the attachments were links to archives with the CapDoor backdoor. The malware penetrated the system through a multi-stage DLL sideloading chain, hid its presence, collected data about the infected machine, and contacted the command server every two minutes via an encrypted ChaCha20 channel. On the operator's command, CapDoor took screenshots, launched PowerShell scripts, and downloaded additional modules — in particular, the SectopRAT trojan.
The group presumably gained access to the infrastructure through the CVE-2025-49113 vulnerability in the Roundcube Webmail webmail client with a critical score of 9.9 out of 10.
Positive Technologies warns: CapFix will not stop. Experts have already recorded four new domains of the group — not yet active, but clearly prepared for the next wave of attacks. Organizations are advised to urgently update Roundcube Webmail and strengthen the protection of corporate mail.
