{
  "name": "Sophisticated backdoor mimicking secure networking software updates",
  "slug": "sophisticated-backdoor-mimicking-secure-networking-software-updates",
  "description": "A sophisticated backdoor targeting Russian organizations in government, finance, and industry sectors was discovered masquerading as updates for ViPNet secure networking software. The malware, distributed in LZH archives, exploits a path substitution technique to execute a malicious loader that deploys a versatile backdoor. This backdoor can connect to a C2 server, steal files, and launch additional malicious components. The attack highlights the increasing complexity of APT group tactics and emphasizes the need for multi-layered security defenses to protect against such sophisticated threats.",
  "published": "2025-04-22T16:02:37+00:00",
  "created_at": "2025-04-22T16:02:37+00:00",
  "modified_at": "2025-04-22T20:50:33+00:00",
  "created_at_opencti": "2025-04-22T16:02:37+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-04-22",
    "apt",
    "backdoor",
    "c2 server",
    "heur:trojan.win32.loader.gen",
    "path substitution",
    "payload",
    "russia",
    "secure networking",
    "software updates",
    "targeted attack",
    "vipnet"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "cef5f68c-cce1-49bf-a01b-57800c05ac67",
        "name": "HEUR:Trojan.Win32.Loader.gen",
        "slug": "heurtrojanwin32loadergen"
      }
    ],
    "attack_patterns": [
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Russian Federation"
      },
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://securelist.com/new-backdoor-mimics-security-software-update/116246/",
    "https://otx.alienvault.com/pulse/6807d9bd776ee82a5a8a7112"
  ]
}