Hackers Abuse ViPNet Updates to Target Russian Agencies
🔍 Researchers at Kaspersky say an advanced threat actor, tracked as HelloNet, has abused the ViPNet update mechanism since at least May to deliver a loader and proxy targeting Russian organizations, including government agencies. Attackers dropped a malicious DLL (wtsapi32.dll, "HelloInjector") into the local ViPNet Update System to be sideloaded by the legitimate updater, gaining persistence and elevated privileges. The campaign delivers additional modules—HelloProxy, HelloExecutor, HelloCleaner, and a Rust-based HelloBackdoor—enabling command execution, file transfer, reconnaissance, and log removal. Kaspersky assigns low-confidence attribution to a Chinese-speaking APT and recommends close monitoring of systems running ViPNet, especially traffic on ports 5003, 5060, and 443.