An unidentified advanced threat group is planting custom malware inside large Russian organizations by abusing the update mechanism of ViPNet, a widely used Russian secure-networking product, according to researchers at Kaspersky. The activity, which Kaspersky tracks as the HelloNet campaign, started no later than May 2026 and was still running when the findings were published.
Who is affected
Kaspersky says it saw targeted infection attempts against major Russian entities spanning the government, energy, transport, education, logistics, and industrial sectors. It is not the first time a sophisticated actor has gone after machines connected to Russian ViPNet networks; the same researchers previously documented a separate backdoor that impersonated ViPNet updates.
How the attack works
The attackers gain persistence through DLL sideloading, a technique in which a trusted program is tricked into loading a malicious library placed next to it. They dropped a rogue file named wtsapi32.dll into the ViPNet update directory, where the legitimate update service itcsrvup64.exe, launched at startup, loads it automatically. That loader, dubbed HelloInjector, injects itself into the Windows svchost.exe process and runs a hidden module called HelloProxy. HelloProxy hooks low-level networking functions to frustrate user-mode security tools, opens a covert proxy, and pulls down further payloads: HelloExecutor, used to run reconnaissance commands, and HelloCleaner, which wipes ViPNet log files to hide the intrusion. On one system the team also found a Rust-based backdoor, HelloBackdoor, waiting for connections on port 443. To move data out, the operators tunneled traffic through a renamed copy of the legitimate PuTTY tool to a remote server.
Attribution
Kaspersky has not tied HelloNet to a named state or group. Reusing a trusted software update path to reach isolated, security-conscious networks is a hallmark of well-resourced espionage operators rather than commodity crime.
What you should do
Organizations running ViPNet should inspect the update directory for unexpected DLLs, watch for the reconnaissance commands and the SSH tunneling described above, and hunt for the indicators below.
Indicators of compromise (defanged)
- C2 server: 5[.]39[.]253[.]206 (SSH tunnel on port 3522)
- Additional C2: 176[.]32[.]34[.]135
- HelloInjector loader wtsapi32.dll, MD5 16c211c96735f2fae9361b89bd7a31bf
- Activity log dropped at C:\users\public\tesh4RPC.txt
The campaign fits a broader pattern of attackers abusing trusted software distribution to slip past defenses, seen recently in a supply chain compromise of widely used npm packages.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.