{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/infotecs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ViPNet Update System"],"_cs_severities":["high"],"_cs_tags":["apt","dll-sideloading","persistence","proxy","c2","reconnaissance","data-exfiltration","russia","windows"],"_cs_type":"advisory","_cs_vendors":["InfoTeCS"],"content_html":"\u003cp\u003eSince at least May 2026, a sophisticated and currently unattributed threat actor has been conducting the \u0026quot;HelloNet\u0026quot; campaign, targeting large Russian organizations across government, energy, transport, education, logistics, and industry sectors. The campaign is notable for its innovative use of the legitimate ViPNet update system, a software suite designed for secure network communication. Attackers exploit a DLL sideloading vulnerability within the ViPNet update component, \u003ccode\u003eitcsrvup64.exe\u003c/code\u003e, to load a malicious module named HelloInjector. This initial implant then facilitates the deployment of a sophisticated malware ecosystem, including HelloProxy for covert communication and proxying, HelloExecutor for reconnaissance, HelloCleaner for log evasion, and a Rust-based HelloBackdoor for file manipulation and persistent access. This campaign represents a significant threat due to its stealth, persistence mechanism, and targeting of critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eDLL Sideloading\u003c/strong\u003e: The attackers place a malicious \u003ccode\u003ewtsapi32.dll\u003c/code\u003e file (dubbed HelloInjector) into the \u003ccode\u003eC:\\Program Files (x86)\\InfoTeCS\\VIPNet Update System\u003c/code\u003e directory, exploiting a legitimate ViPNet software component.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence \u0026amp; Injection\u003c/strong\u003e: The legitimate ViPNet update service executable, \u003ccode\u003eitcsrvup64.exe\u003c/code\u003e, loads the malicious \u003ccode\u003ewtsapi32.dll\u003c/code\u003e at operating system startup. HelloInjector then injects its code into an \u003ccode\u003esvchost.exe\u003c/code\u003e process (specifically one with \u003ccode\u003enetsvcs\u003c/code\u003e in its command line) using \u003ccode\u003eNtWriteVirtualMemory\u003c/code\u003e and \u003ccode\u003eNtCreateThreadEx\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLoader Execution\u003c/strong\u003e: Once injected, HelloInjector loads and executes the primary payload, HelloProxy, directly from its body into the memory of the \u003ccode\u003esvchost.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCovert C2 \u0026amp; Proxying\u003c/strong\u003e: HelloProxy establishes covert command and control (C2) communication by listening on ports 5003 and 5060. It intercepts \u003ccode\u003eNtDeviceIoControlFile\u003c/code\u003e, \u003ccode\u003eclosesocket\u003c/code\u003e, and \u003ccode\u003eshutdown\u003c/code\u003e functions to evade security solutions, performs a specific handshake (0x0502 followed by \u003ccode\u003eASDFASFSAFASDF\u003c/code\u003e), and acts as a hidden proxy and loader for subsequent malicious modules. It also logs incoming messages to \u003ccode\u003eC:\\users\\public\\tesh4RPC.txt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eModule Deployment \u0026amp; Reconnaissance\u003c/strong\u003e: HelloProxy loads additional modules from the C2 server, including HelloExecutor, which executes reconnaissance commands such as \u003ccode\u003equery user\u003c/code\u003e, \u003ccode\u003eipconfig /all\u003c/code\u003e, \u003ccode\u003enet user /do\u003c/code\u003e, and various \u003ccode\u003edir\u003c/code\u003e commands to map the compromised network. Another module, HelloCleaner, is deployed to delete ViPNet software log files, covering the attackers' tracks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration \u0026amp; Remote Access\u003c/strong\u003e: The attackers deploy a renamed legitimate PuTTY executable, \u003ccode\u003efrontpage.exe\u003c/code\u003e, in \u003ccode\u003eC:\\Users\\Public\\Music\u003c/code\u003e. This tool is used to establish an SSH tunnel to the C2 server \u003ccode\u003e5.39.253[.]206\u003c/code\u003e for data exfiltration and maintaining remote access. Additionally, a Rust-based HelloBackdoor is deployed, listening on port 443 for additional file system manipulation and command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe HelloNet campaign primarily targets large Russian organizations across multiple critical sectors including government, energy, transport, education, logistics, and industry. Successful compromise results in persistent unauthorized access to victims' networks, enabling extensive reconnaissance, data exfiltration, and potential disruption of operations. The use of legitimate system components and sophisticated evasion techniques makes detection challenging, increasing the risk of prolonged dwell time and significant financial and operational damage to affected entities. The campaign has been active since at least May 2026.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon file creation and process creation logging to activate the rules above.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious DLL sideloading and execution of renamed utilities.\u003c/li\u003e\n\u003cli\u003eBlock the C2 IP \u003ccode\u003e5.39.253[.]206\u003c/code\u003e at the network perimeter.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events for \u003ccode\u003eC:\\Program Files (x86)\\InfoTeCS\\VIPNet Update System\\wtsapi32.dll\u003c/code\u003e to detect HelloInjector deployment.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003esvchost.exe\u003c/code\u003e process memory for unusual injection activity using memory forensics tools.\u003c/li\u003e\n\u003cli\u003eMonitor for file creation at \u003ccode\u003eC:\\users\\public\\tesh4RPC.txt\u003c/code\u003e which indicates HelloProxy logging activity.\u003c/li\u003e\n\u003cli\u003eRegularly review process creation logs for unusual executables, such as \u003ccode\u003efrontpage.exe\u003c/code\u003e in \u003ccode\u003eC:\\Users\\Public\\Music\u003c/code\u003e, and command-line arguments indicative of SSH tunneling.\u003c/li\u003e\n\u003cli\u003eConduct network traffic monitoring for outbound connections to \u003ccode\u003e5.39.253[.]206\u003c/code\u003e on any port, and for unusual traffic on ports 5003, 5060, and 443.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T14:52:17Z","date_published":"2026-07-16T14:52:17Z","id":"https://feed.craftedsignal.io/briefs/2026-07-hellonet-vipnet/","summary":"An unknown sophisticated threat actor is leveraging DLL sideloading within the ViPNet update system to deploy a multi-stage malware suite, including HelloInjector, HelloProxy, HelloExecutor, HelloCleaner, and HelloBackdoor, to establish persistence, exfiltrate data, and maintain covert access to large Russian organizations in government, energy, and other critical sectors.","title":"HelloNet Campaign Uses ViPNet Update System for Malicious Module Delivery","url":"https://feed.craftedsignal.io/briefs/2026-07-hellonet-vipnet/"}],"language":"en","title":"CraftedSignal Threat Feed - InfoTeCS","version":"https://jsonfeed.org/version/1.1"}