HelloNet Campaign Exploits ViPNet Updates for Stealthy Network Intrusion
A new advanced persistent threat campaign, dubbed HelloNet, is leveraging the ViPNet update system to deploy sophisticated malware, targeting critical Russian organizations.

Security researchers have uncovered a new advanced persistent threat (APT) campaign, named HelloNet, which has been actively exploiting the ViPNet update system since at least May 2026. The campaign, which remains ongoing, has targeted large Russian organizations across the government, energy, transport, education, and logistics sectors. This marks a concerning trend, as threat actors have previously targeted ViPNet networks, including a complex backdoor discovered last year that mimicked ViPNet updates.
The attackers achieve persistence by placing a malicious DLL file, named wtsapi32.dll, within the ViPNet update system's directory. This enables a DLL sideloading technique, where the legitimate ViPNet update executable (itcsrvup64.exe), which runs at operating system startup, inadvertently loads the malicious code. This initial compromise allows the attackers to establish a foothold on the targeted systems.
Once loaded, the wtsapi32.dll component, identified as HelloInjector, acts as a loader. Its primary function is to inject its code into a legitimate svchost.exe process. The malware meticulously searches for a running svchost.exe process that is associated with netsvcs in its command line. Upon finding a suitable target, HelloInjector uses Windows API functions like NtWriteVirtualMemory and NtCreateThreadEx to inject itself into the chosen process, thereby camouflaging its malicious activity within a critical system process.
The injected payload, dubbed HelloProxy, serves a dual purpose as a hidden proxy and a loader for further malicious modules. It achieves stealth by intercepting key network functions, including NtDeviceIoControlFile, closesocket, and shutdown, utilizing the Microsoft Detours library. By preventing premature socket closures and intercepting network traffic control codes (AFD_RECV and AFD_GET_TDI_HANDLES), HelloProxy evades user-mode security solutions designed to filter network connections. All intercepted incoming messages are logged to a file for potential later analysis by the attackers.
After establishing a secure communication channel through a handshake process with its command and control (C2) servers, HelloProxy can operate in two modes. As a proxy, it forwards traffic between specified IP addresses and ports. More critically, as a loader, it can download and execute additional malicious payloads directly into the memory of the compromised svchost.exe process. This allows for dynamic deployment of custom tools tailored to the specific objectives of the attackers.
During their investigation, Kaspersky researchers identified two such payloads: HelloExecutor, a backdoor capable of executing arbitrary commands on the infected system, and HelloCleaner, a module designed to erase logs from the ViPNet software, further obscuring the attackers' presence. The HelloExecutor backdoor was observed executing reconnaissance commands, gathering information about users, network configurations, and system directories, particularly focusing on ViPNet installation paths.
The HelloNet campaign highlights the evolving tactics of APT groups, which are increasingly targeting software update mechanisms and leveraging legitimate system processes for stealthy and persistent intrusions. The use of custom loaders and proxies, combined with the ability to dynamically load modules, presents a significant challenge for detection and incident response. Kaspersky security solutions are capable of detecting and preventing infection attempts at all stages of this sophisticated attack.