Skip to content
Threat Feed
high advisory

HelloNet Campaign Uses ViPNet Update System for Malicious Module Delivery

An unknown sophisticated threat actor is leveraging DLL sideloading within the ViPNet update system to deploy a multi-stage malware suite, including HelloInjector, HelloProxy, HelloExecutor, HelloCleaner, and HelloBackdoor, to establish persistence, exfiltrate data, and maintain covert access to large Russian organizations in government, energy, and other critical sectors.

Since at least May 2026, a sophisticated and currently unattributed threat actor has been conducting the "HelloNet" campaign, targeting large Russian organizations across government, energy, transport, education, logistics, and industry sectors. The campaign is notable for its innovative use of the legitimate ViPNet update system, a software suite designed for secure network communication. Attackers exploit a DLL sideloading vulnerability within the ViPNet update component, itcsrvup64.exe, to load a malicious module named HelloInjector. This initial implant then facilitates the deployment of a sophisticated malware ecosystem, including HelloProxy for covert communication and proxying, HelloExecutor for reconnaissance, HelloCleaner for log evasion, and a Rust-based HelloBackdoor for file manipulation and persistent access. This campaign represents a significant threat due to its stealth, persistence mechanism, and targeting of critical infrastructure.

Attack Chain

  1. DLL Sideloading: The attackers place a malicious wtsapi32.dll file (dubbed HelloInjector) into the C:\Program Files (x86)\InfoTeCS\VIPNet Update System directory, exploiting a legitimate ViPNet software component.
  2. Persistence & Injection: The legitimate ViPNet update service executable, itcsrvup64.exe, loads the malicious wtsapi32.dll at operating system startup. HelloInjector then injects its code into an svchost.exe process (specifically one with netsvcs in its command line) using NtWriteVirtualMemory and NtCreateThreadEx.
  3. Loader Execution: Once injected, HelloInjector loads and executes the primary payload, HelloProxy, directly from its body into the memory of the svchost.exe process.
  4. Covert C2 & Proxying: HelloProxy establishes covert command and control (C2) communication by listening on ports 5003 and 5060. It intercepts NtDeviceIoControlFile, closesocket, and shutdown functions to evade security solutions, performs a specific handshake (0x0502 followed by ASDFASFSAFASDF), and acts as a hidden proxy and loader for subsequent malicious modules. It also logs incoming messages to C:\users\public\tesh4RPC.txt.
  5. Module Deployment & Reconnaissance: HelloProxy loads additional modules from the C2 server, including HelloExecutor, which executes reconnaissance commands such as query user, ipconfig /all, net user /do, and various dir commands to map the compromised network. Another module, HelloCleaner, is deployed to delete ViPNet software log files, covering the attackers' tracks.
  6. Data Exfiltration & Remote Access: The attackers deploy a renamed legitimate PuTTY executable, frontpage.exe, in C:\Users\Public\Music. This tool is used to establish an SSH tunnel to the C2 server 5.39.253[.]206 for data exfiltration and maintaining remote access. Additionally, a Rust-based HelloBackdoor is deployed, listening on port 443 for additional file system manipulation and command execution.

Impact

The HelloNet campaign primarily targets large Russian organizations across multiple critical sectors including government, energy, transport, education, logistics, and industry. Successful compromise results in persistent unauthorized access to victims' networks, enabling extensive reconnaissance, data exfiltration, and potential disruption of operations. The use of legitimate system components and sophisticated evasion techniques makes detection challenging, increasing the risk of prolonged dwell time and significant financial and operational damage to affected entities. The campaign has been active since at least May 2026.

Recommendation

  • Enable Sysmon file creation and process creation logging to activate the rules above.
  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious DLL sideloading and execution of renamed utilities.
  • Block the C2 IP 5.39.253[.]206 at the network perimeter.
  • Monitor file creation events for C:\Program Files (x86)\InfoTeCS\VIPNet Update System\wtsapi32.dll to detect HelloInjector deployment.
  • Monitor svchost.exe process memory for unusual injection activity using memory forensics tools.
  • Monitor for file creation at C:\users\public\tesh4RPC.txt which indicates HelloProxy logging activity.
  • Regularly review process creation logs for unusual executables, such as frontpage.exe in C:\Users\Public\Music, and command-line arguments indicative of SSH tunneling.
  • Conduct network traffic monitoring for outbound connections to 5.39.253[.]206 on any port, and for unusual traffic on ports 5003, 5060, and 443.

Detection coverage 3

Detect HelloNet Campaign - ViPNet DLL Sideloading (HelloInjector)

critical

Detects the creation of the malicious wtsapi32.dll (HelloInjector) in the ViPNet Update System directory, used for DLL sideloading.

sigma tactics: defense_evasion, persistence techniques: T1574.001 sources: file_event, windows

Detect HelloNet Campaign - HelloProxy Log File Creation

high

Detects the creation of the tesh4RPC.txt log file by the HelloProxy module, indicating active C2 communication logging.

sigma tactics: collection, impact sources: file_event, windows

Detect HelloNet Campaign - Renamed PuTTY Execution for SSH Tunnel

high

Detects the execution of a renamed PuTTY client (frontpage.exe) from the Public Music directory, used by HelloNet for SSH tunneling to the C2 server.

sigma tactics: command_and_control, exfiltration techniques: T1036.003, T1572 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →

Indicators of compromise

1

ip

TypeValue
ip5.39.253.206