216.73.216.197

HelloNet campaign: a threat via the ViPNet update system

· Published 16/07/2026 18:14

Export JSON

Essential information

Published
16/07/2026 18:14
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
chinese apt dll sideloading hellobackdoor hellocleaner helloexecutor helloinjector hellonet helloproxy putty russia targeted rust backdoor ssh tunneling vipnet
Related entities
3 indicators, 2 observables, 22 techniques (mitre), 5 malware

Description

An active APT campaign discovered in May 2026 exploits the update system to deploy previously unknown tooling against large Russian organizations. Attackers achieve persistence through , placing malicious wtsapi32.dll in directories. The campaign employs multiple components: HelloInjector loader, HelloProxy for traffic proxying and payload delivery, HelloExecutor backdoor for command execution, HelloCleaner for log file sanitization, and HelloBackdoor written in Rust for file manipulation. Attackers conduct reconnaissance activities, establish SSH tunnels using renamed utilities, and target government, energy, transport, education, logistics, and industrial sectors. Attribution points to an unknown Chinese-speaking APT group with low confidence based on strings referencing sina.com and Chinese package repositories.

External references