Experts at Positive Technologies have uncovered a new series of attacks by the CapFix threat group, spanning from late 2025 through March 2026. The threat actors used upgraded tools and compromised infrastructure, which they likely accessed by exploiting a critical vulnerability in the Roundcube Webmail client. An analysis of the group's attacks in autumn 2025 revealed that the criminals specifically targeted Russian companies in the industrial and aerospace sectors.
In December 2025, the Threat Intelligence department at the Positive Technologies Expert Security Center (PT ESC TI) detected a malicious campaign targeting Russian organizations. Researchers attributed this activity to the CapFix group, which relied on phishing emails as its primary attack vector. These emails contained PDF or HTML attachments with embedded links to download archives containing malicious payloads. The lures were primarily disguised as official messages from government agencies.
The investigation confirmed that during their attacks in autumn 2025, the group sent phishing emails to Russian companies in the industrial and aerospace sectors.
The attackers used compromised servers to send malicious files from seemingly trusted sources, which significantly enhanced the effectiveness of these attacks. Experts assume that the threat actors gained access to these servers by exploiting a critical vulnerability in the Roundcube Webmail client (CVE-2025-49113, CVSS score: 9.9).
In recent attacks, the group has deployed an upgraded version of the CapDoor malware. This tool serves as one of the stages in the infection chain, enabling the deployment of additional malicious modules (such as the SectopRAT remote access trojan) onto victim devices. The upgraded CapDoor features expanded capabilities: it can collect system information, capture screenshots, and download various file types upon receiving commands from operators.
The ESC specialists also found earlier samples of the malware that relied on cryptocurrency-themed lures during the delivery stage. In November 2025, over 10 such malware samples were uploaded to public sandboxes by users in Mexico, the U.S., the Netherlands, France, and other countries. Additionally, the researchers found phishing sites employing the ClickFix technique, masquerading as hotel booking services.
