HelloNet Campaign Uses ViPNet Update System for Malicious Module Delivery
An unknown sophisticated threat actor is leveraging DLL sideloading within the ViPNet update system to deploy a multi-stage malware suite, including HelloInjector, HelloProxy, HelloExecutor, HelloCleaner, and HelloBackdoor, to establish persistence, exfiltrate data, and maintain covert access to large Russian organizations in government, energy, and other critical sectors.
Since at least May 2026, a sophisticated and currently unattributed threat actor has been conducting the "HelloNet" campaign, targeting large Russian organizations across government, energy, transport, education, logistics, and industry sectors. The campaign is notable for its innovative use of the legitimate ViPNet update system, a software suite designed for secure network communication. Attackers exploit a DLL sideloading vulnerability within the ViPNet update component, itcsrvup64.exe, to load a malicious module named HelloInjector. This initial implant then facilitates the deployment of a sophisticated malware ecosystem, including HelloProxy for covert communication and proxying, HelloExecutor for reconnaissance, HelloCleaner for log evasion, and a Rust-based HelloBackdoor for file manipulation and persistent access. This campaign represents a significant threat due to its stealth, persistence mechanism, and targeting of critical infrastructure.
Attack Chain
- DLL Sideloading: The attackers place a malicious
wtsapi32.dllfile (dubbed HelloInjector) into theC:\Program Files (x86)\InfoTeCS\VIPNet Update Systemdirectory, exploiting a legitimate ViPNet software component. - Persistence & Injection: The legitimate ViPNet update service executable,
itcsrvup64.exe, loads the maliciouswtsapi32.dllat operating system startup. HelloInjector then injects its code into ansvchost.exeprocess (specifically one withnetsvcsin its command line) usingNtWriteVirtualMemoryandNtCreateThreadEx. - Loader Execution: Once injected, HelloInjector loads and executes the primary payload, HelloProxy, directly from its body into the memory of the
svchost.exeprocess. - Covert C2 & Proxying: HelloProxy establishes covert command and control (C2) communication by listening on ports 5003 and 5060. It intercepts
NtDeviceIoControlFile,closesocket, andshutdownfunctions to evade security solutions, performs a specific handshake (0x0502 followed byASDFASFSAFASDF), and acts as a hidden proxy and loader for subsequent malicious modules. It also logs incoming messages toC:\users\public\tesh4RPC.txt. - Module Deployment & Reconnaissance: HelloProxy loads additional modules from the C2 server, including HelloExecutor, which executes reconnaissance commands such as
query user,ipconfig /all,net user /do, and variousdircommands to map the compromised network. Another module, HelloCleaner, is deployed to delete ViPNet software log files, covering the attackers' tracks. - Data Exfiltration & Remote Access: The attackers deploy a renamed legitimate PuTTY executable,
frontpage.exe, inC:\Users\Public\Music. This tool is used to establish an SSH tunnel to the C2 server5.39.253[.]206for data exfiltration and maintaining remote access. Additionally, a Rust-based HelloBackdoor is deployed, listening on port 443 for additional file system manipulation and command execution.
Impact
The HelloNet campaign primarily targets large Russian organizations across multiple critical sectors including government, energy, transport, education, logistics, and industry. Successful compromise results in persistent unauthorized access to victims' networks, enabling extensive reconnaissance, data exfiltration, and potential disruption of operations. The use of legitimate system components and sophisticated evasion techniques makes detection challenging, increasing the risk of prolonged dwell time and significant financial and operational damage to affected entities. The campaign has been active since at least May 2026.
Recommendation
- Enable Sysmon file creation and process creation logging to activate the rules above.
- Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious DLL sideloading and execution of renamed utilities.
- Block the C2 IP
5.39.253[.]206at the network perimeter. - Monitor file creation events for
C:\Program Files (x86)\InfoTeCS\VIPNet Update System\wtsapi32.dllto detect HelloInjector deployment. - Monitor
svchost.exeprocess memory for unusual injection activity using memory forensics tools. - Monitor for file creation at
C:\users\public\tesh4RPC.txtwhich indicates HelloProxy logging activity. - Regularly review process creation logs for unusual executables, such as
frontpage.exeinC:\Users\Public\Music, and command-line arguments indicative of SSH tunneling. - Conduct network traffic monitoring for outbound connections to
5.39.253[.]206on any port, and for unusual traffic on ports 5003, 5060, and 443.
Detection coverage 3
Detect HelloNet Campaign - ViPNet DLL Sideloading (HelloInjector)
criticalDetects the creation of the malicious wtsapi32.dll (HelloInjector) in the ViPNet Update System directory, used for DLL sideloading.
Detect HelloNet Campaign - HelloProxy Log File Creation
highDetects the creation of the tesh4RPC.txt log file by the HelloProxy module, indicating active C2 communication logging.
Detect HelloNet Campaign - Renamed PuTTY Execution for SSH Tunnel
highDetects the execution of a renamed PuTTY client (frontpage.exe) from the Public Music directory, used by HelloNet for SSH tunneling to the C2 server.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
ip
| Type | Value |
|---|---|
| ip | 5.39.253.206 |