<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>InfoTeCS - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/infotecs/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 14:52:17 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/infotecs/feed.xml" rel="self" type="application/rss+xml"/><item><title>HelloNet Campaign Uses ViPNet Update System for Malicious Module Delivery</title><link>https://feed.craftedsignal.io/briefs/2026-07-hellonet-vipnet/</link><pubDate>Thu, 16 Jul 2026 14:52:17 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-hellonet-vipnet/</guid><description>An unknown sophisticated threat actor is leveraging DLL sideloading within the ViPNet update system to deploy a multi-stage malware suite, including HelloInjector, HelloProxy, HelloExecutor, HelloCleaner, and HelloBackdoor, to establish persistence, exfiltrate data, and maintain covert access to large Russian organizations in government, energy, and other critical sectors.</description><content:encoded><![CDATA[<p>Since at least May 2026, a sophisticated and currently unattributed threat actor has been conducting the &quot;HelloNet&quot; campaign, targeting large Russian organizations across government, energy, transport, education, logistics, and industry sectors. The campaign is notable for its innovative use of the legitimate ViPNet update system, a software suite designed for secure network communication. Attackers exploit a DLL sideloading vulnerability within the ViPNet update component, <code>itcsrvup64.exe</code>, to load a malicious module named HelloInjector. This initial implant then facilitates the deployment of a sophisticated malware ecosystem, including HelloProxy for covert communication and proxying, HelloExecutor for reconnaissance, HelloCleaner for log evasion, and a Rust-based HelloBackdoor for file manipulation and persistent access. This campaign represents a significant threat due to its stealth, persistence mechanism, and targeting of critical infrastructure.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>DLL Sideloading</strong>: The attackers place a malicious <code>wtsapi32.dll</code> file (dubbed HelloInjector) into the <code>C:\Program Files (x86)\InfoTeCS\VIPNet Update System</code> directory, exploiting a legitimate ViPNet software component.</li>
<li><strong>Persistence &amp; Injection</strong>: The legitimate ViPNet update service executable, <code>itcsrvup64.exe</code>, loads the malicious <code>wtsapi32.dll</code> at operating system startup. HelloInjector then injects its code into an <code>svchost.exe</code> process (specifically one with <code>netsvcs</code> in its command line) using <code>NtWriteVirtualMemory</code> and <code>NtCreateThreadEx</code>.</li>
<li><strong>Loader Execution</strong>: Once injected, HelloInjector loads and executes the primary payload, HelloProxy, directly from its body into the memory of the <code>svchost.exe</code> process.</li>
<li><strong>Covert C2 &amp; Proxying</strong>: HelloProxy establishes covert command and control (C2) communication by listening on ports 5003 and 5060. It intercepts <code>NtDeviceIoControlFile</code>, <code>closesocket</code>, and <code>shutdown</code> functions to evade security solutions, performs a specific handshake (0x0502 followed by <code>ASDFASFSAFASDF</code>), and acts as a hidden proxy and loader for subsequent malicious modules. It also logs incoming messages to <code>C:\users\public\tesh4RPC.txt</code>.</li>
<li><strong>Module Deployment &amp; Reconnaissance</strong>: HelloProxy loads additional modules from the C2 server, including HelloExecutor, which executes reconnaissance commands such as <code>query user</code>, <code>ipconfig /all</code>, <code>net user /do</code>, and various <code>dir</code> commands to map the compromised network. Another module, HelloCleaner, is deployed to delete ViPNet software log files, covering the attackers' tracks.</li>
<li><strong>Data Exfiltration &amp; Remote Access</strong>: The attackers deploy a renamed legitimate PuTTY executable, <code>frontpage.exe</code>, in <code>C:\Users\Public\Music</code>. This tool is used to establish an SSH tunnel to the C2 server <code>5.39.253[.]206</code> for data exfiltration and maintaining remote access. Additionally, a Rust-based HelloBackdoor is deployed, listening on port 443 for additional file system manipulation and command execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The HelloNet campaign primarily targets large Russian organizations across multiple critical sectors including government, energy, transport, education, logistics, and industry. Successful compromise results in persistent unauthorized access to victims' networks, enabling extensive reconnaissance, data exfiltration, and potential disruption of operations. The use of legitimate system components and sophisticated evasion techniques makes detection challenging, increasing the risk of prolonged dwell time and significant financial and operational damage to affected entities. The campaign has been active since at least May 2026.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Sysmon file creation and process creation logging to activate the rules above.</li>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious DLL sideloading and execution of renamed utilities.</li>
<li>Block the C2 IP <code>5.39.253[.]206</code> at the network perimeter.</li>
<li>Monitor file creation events for <code>C:\Program Files (x86)\InfoTeCS\VIPNet Update System\wtsapi32.dll</code> to detect HelloInjector deployment.</li>
<li>Monitor <code>svchost.exe</code> process memory for unusual injection activity using memory forensics tools.</li>
<li>Monitor for file creation at <code>C:\users\public\tesh4RPC.txt</code> which indicates HelloProxy logging activity.</li>
<li>Regularly review process creation logs for unusual executables, such as <code>frontpage.exe</code> in <code>C:\Users\Public\Music</code>, and command-line arguments indicative of SSH tunneling.</li>
<li>Conduct network traffic monitoring for outbound connections to <code>5.39.253[.]206</code> on any port, and for unusual traffic on ports 5003, 5060, and 443.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>apt</category><category>dll-sideloading</category><category>persistence</category><category>proxy</category><category>c2</category><category>reconnaissance</category><category>data-exfiltration</category><category>russia</category><category>windows</category></item></channel></rss>