HelloNet campaign: a threat via the ViPNet update system
Essential information
- Published
- 16/07/2026 18:14
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- chinese apt dll sideloading hellobackdoor hellocleaner helloexecutor helloinjector hellonet helloproxy putty russia targeted rust backdoor ssh tunneling vipnet
- Related entities
- 3 indicators, 2 observables, 22 techniques (mitre), 5 malware
Description
An active APT campaign discovered in May 2026 exploits the ViPNet update system to deploy previously unknown tooling against large Russian organizations. Attackers achieve persistence through DLL sideloading, placing malicious wtsapi32.dll in ViPNet directories. The campaign employs multiple components: HelloInjector loader, HelloProxy for traffic proxying and payload delivery, HelloExecutor backdoor for command execution, HelloCleaner for log file sanitization, and HelloBackdoor written in Rust for file manipulation. Attackers conduct reconnaissance activities, establish SSH tunnels using renamed PuTTY utilities, and target government, energy, transport, education, logistics, and industrial sectors. Attribution points to an unknown Chinese-speaking APT group with low confidence based on strings referencing sina.com and Chinese package repositories.