Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

HelloNet campaign: a threat via the ViPNet update system

0
Medium
Published: 07/16/2026 (07/16/2026, 16:14:59 UTC)
Source: AlienVault OTX General

Description

The HelloNet campaign is an active APT operation discovered in May 2026 that exploits the ViPNet update system to deploy previously unknown malware against large Russian organizations. Attackers achieve persistence via DLL sideloading by placing a malicious wtsapi32.dll in ViPNet directories. The campaign uses multiple components including loaders, proxies, backdoors, and log cleaners, and establishes SSH tunnels using renamed PuTTY utilities. Targets include government, energy, transport, education, logistics, and industrial sectors in Russia. Attribution to a Chinese-speaking APT group is low confidence and based on indirect string references.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/17/2026, 00:49:19 UTC

Technical Analysis

This threat involves a sophisticated APT campaign leveraging the ViPNet update system to deliver a multi-component malware suite. Persistence is maintained through DLL sideloading of a malicious wtsapi32.dll within ViPNet directories. The malware suite includes HelloInjector (loader), HelloProxy (traffic proxy and payload delivery), HelloExecutor (command execution backdoor), HelloCleaner (log sanitization), and HelloBackdoor (Rust-based file manipulation). The attackers conduct reconnaissance, establish SSH tunnels with renamed PuTTY tools, and focus on critical sectors in Russia. Attribution is uncertain but suggests a Chinese-speaking group based on embedded strings. No CVE or patch information is available, and no known exploits in the wild have been confirmed.

Potential Impact

The campaign enables attackers to maintain persistent access and execute arbitrary commands on compromised systems within critical Russian sectors, potentially leading to espionage, data manipulation, or disruption of operations. The use of DLL sideloading and multiple modular components increases stealth and operational flexibility. The presence of log cleaning tools indicates efforts to evade detection and forensic analysis.

Mitigation Recommendations

No official patch or remediation guidance is currently available for this threat. Organizations using ViPNet should monitor for indicators of compromise such as the presence of malicious wtsapi32.dll files in ViPNet directories and unusual SSH tunnels using renamed PuTTY utilities. Incident response should focus on detection and removal of the HelloNet malware components. Patch status is not yet confirmed — check vendor advisories for updates.

Affected Countries

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://securelist.com/tr/hellonet-vipnet/120700/"]
Adversary
null
Pulse Id
6a5903832a32a07a14de0d86
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash0cfdffc56f0fa325d0c4d24780b46597
hash16c211c96735f2fae9361b89bd7a31bf
hash1bfe2b9493128574907a8279256a8bcc
hash41c938b3cd7e55d4077e34976929b140
hash6001829a128fe264b4403138700c11a8
hash9f5606a0755bc633b9bd7db6d179c09e
hashb103cd21280b4061f88b2bcc51394894
hashee4ff46ddd8489e81447962f927bc3f6
hashf9eed2f0158dc98e7012fb809152209c
hash686292c07e33c4a5ca456db446bb71fb9fc67a81
hashffdc194775b2904564bbbd1cf0eb01d1a01f83ef5197d1612b6e2d69de7a4732

Ip

ValueDescriptionCopy
ip176.32.34.135
ip5.39.253.206

Threat ID: 6a59782068715ace4305c166

Added to database: 07/17/2026, 00:32:32 UTC

Last enriched: 07/17/2026, 00:49:19 UTC

Last updated: 07/17/2026, 01:45:13 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses