ctipilot.ch

HelloNet toolkit

tool · tool:hellonet-malware-suite single-source

Multi-component malware suite used in the HelloNet campaign: HelloInjector (DLL-sideload loader that injects into svchost.exe), HelloProxy (traffic proxy/loader hooking AFD IOCTLs via Microsoft Detours), HelloExecutor (shell-command backdoor), HelloCleaner (ViPNet log eraser) and HelloBackdoor (Rust file-transfer backdoor on TCP/443) (Kaspersky Securelist/GReAT, 2026-07-16).

Aliases: HelloInjector, HelloProxy, HelloExecutor, HelloCleaner, HelloBackdoor

Coverage timeline
1
first 2026-07-17 → last 2026-07-17
Peak priority
notable
1 notable
Sources cited
1
1 hosts
Sections touched
1
research
Co-occurring entities
1
see Related entities below
ATT&CK techniques
8
pinned v19.1 · see below

Hunting pivots

Affected products
InfoTeCS ViPNet

ATT&CK techniques

8 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Execution TA0002

T1574.001Hijack Execution Flow: DLL×1

Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.

Evidence: 2026-07-17/kaspersky-hellonet-vipnet-updater-sideload-afd-ioctl · ATT&CK page ↗

Privilege Escalation TA0004

T1055Process Injection×1

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Evidence: 2026-07-17/kaspersky-hellonet-vipnet-updater-sideload-afd-ioctl · ATT&CK page ↗

Stealth TA0005

T1055Process Injection×1

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Evidence: 2026-07-17/kaspersky-hellonet-vipnet-updater-sideload-afd-ioctl · ATT&CK page ↗

T1070Indicator Removal×1

Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.

Evidence: 2026-07-17/kaspersky-hellonet-vipnet-updater-sideload-afd-ioctl · ATT&CK page ↗

T1574.001Hijack Execution Flow: DLL×1

Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.

Evidence: 2026-07-17/kaspersky-hellonet-vipnet-updater-sideload-afd-ioctl · ATT&CK page ↗

Defense Impairment TA0112

T1685Disable or Modify Tools×1

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.

Evidence: 2026-07-17/kaspersky-hellonet-vipnet-updater-sideload-afd-ioctl · ATT&CK page ↗

Discovery TA0007

T1082System Information Discovery×1

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from Local Storage Discovery which is an adversary's discovery of local drive, disks and/or volumes.

Evidence: 2026-07-17/kaspersky-hellonet-vipnet-updater-sideload-afd-ioctl · ATT&CK page ↗

T1087.002Account Discovery: Domain Account×1

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.

Evidence: 2026-07-17/kaspersky-hellonet-vipnet-updater-sideload-afd-ioctl · ATT&CK page ↗

Command and Control TA0011

T1105Ingress Tool Transfer×1

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

Evidence: 2026-07-17/kaspersky-hellonet-vipnet-updater-sideload-afd-ioctl · ATT&CK page ↗

T1572Protocol Tunneling×1

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.

Evidence: 2026-07-17/kaspersky-hellonet-vipnet-updater-sideload-afd-ioctl · ATT&CK page ↗

Story timeline

  1. 2026-07-17Kaspersky: the HelloNet campaign blinds user-mode security tools by hooking raw AFD IOCTLs, persisting via DLL-sideload into a secure-network product's own auto-updater
    researchHelloNet chains trusted-updater DLL sideloading with raw AFD-IOCTL interception to hide network C2 from user-mode EDR

Relationships explore in graph

Typed, source-stated connections from the entity registry — each edge cites the entry whose reporting establishes it.

used by

Where this entity is cited

  • research1

Source distribution

  • securelist.com1 (100%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about HelloNet toolkit (1)

2026-07-17 · view entry permalink →

NOTABLENATOB2

Kaspersky: the HelloNet campaign blinds user-mode security tools by hooking raw AFD IOCTLs, persisting via DLL-sideload into a secure-network product's own auto-updater

Kaspersky's GReAT team detailed "HelloNet," an APT campaign (active since at least May 2026) that abuses the update mechanism of ViPNet — a Russian GOST-certified secure-networking suite — to persist inside targeted Russian government, energy, transport, education, logistics and industrial organizations (Kaspersky Securelist, 2026-07-16). The attackers drop a malicious wtsapi32.dll into the ViPNet update directory that the OS-start-launched updater itcsrvup64.exe sideloads. That loader ("HelloInjector") injects a second stage ("HelloProxy") into svchost.exe — but only after verifying the target's name is svchost.exe and its command line carries netsvcs. HelloProxy's distinguishing move is defense evasion at the socket layer: it uses the Microsoft Detours library to hook NtDeviceIoControlFile, closesocket and shutdown, intercepting the raw AFD IOCTL codes AFD_RECV (0x12017) and AFD_GET_TDI_HANDLES (0x12037) so that, in Kaspersky's words, it can "hinder security solutions operating in user mode for filtering network connections." It then acts as a traffic proxy or in-memory loader for further modules — recovered examples include "HelloExecutor" (shell-command execution) and "HelloCleaner" (deletes ViPNet log files to hide activity) — and on one host the operators opened an SSH reverse tunnel using a legitimate Plink binary renamed frontpage.exe.

By placing the file in this directory, the attackers implement the DLL Sideloading technique — the ViPNet update system executable file itcsrvup64.exe, which is launched at OS startup, is susceptible to it.

These codes are used during socket operations — their interception allows the malware to hinder security solutions operating in user mode for filtering network connections.

At present, we link this campaign to the activities of an unknown Chinese-speaking APT group with a low degree of confidence.

Kaspersky Securelist (GReAT) 2026-07-16
research17 Jul 04:35Zsingle-sourceOpen finding ↗