ctipilot.ch
← Back to the live brief
NOTABLENATOB2research

Kaspersky: the HelloNet campaign blinds user-mode security tools by hooking raw AFD IOCTLs, persisting via DLL-sideload into a secure-network product's own auto-updater

discovered 2026-07-17 04:35 UTCrun 2026-07-17T0409Z-intel1 sourcesingle-source

Kaspersky's GReAT team detailed "HelloNet," an APT campaign (active since at least May 2026) that abuses the update mechanism of ViPNet — a Russian GOST-certified secure-networking suite — to persist inside targeted Russian government, energy, transport, education, logistics and industrial organizations (Kaspersky Securelist, 2026-07-16). The attackers drop a malicious wtsapi32.dll into the ViPNet update directory that the OS-start-launched updater itcsrvup64.exe sideloads. That loader ("HelloInjector") injects a second stage ("HelloProxy") into svchost.exe — but only after verifying the target's name is svchost.exe and its command line carries netsvcs. HelloProxy's distinguishing move is defense evasion at the socket layer: it uses the Microsoft Detours library to hook NtDeviceIoControlFile, closesocket and shutdown, intercepting the raw AFD IOCTL codes AFD_RECV (0x12017) and AFD_GET_TDI_HANDLES (0x12037) so that, in Kaspersky's words, it can "hinder security solutions operating in user mode for filtering network connections." It then acts as a traffic proxy or in-memory loader for further modules — recovered examples include "HelloExecutor" (shell-command execution) and "HelloCleaner" (deletes ViPNet log files to hide activity) — and on one host the operators opened an SSH reverse tunnel using a legitimate Plink binary renamed frontpage.exe.

By placing the file in this directory, the attackers implement the DLL Sideloading technique — the ViPNet update system executable file itcsrvup64.exe, which is launched at OS startup, is susceptible to it.

These codes are used during socket operations — their interception allows the malware to hinder security solutions operating in user mode for filtering network connections.

At present, we link this campaign to the activities of an unknown Chinese-speaking APT group with a low degree of confidence.

Kaspersky Securelist (GReAT) 2026-07-16

ATT&CK mapping

8 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Execution TA0002
T1574.001Hijack Execution Flow: DLL

Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.

overlap matrix · ATT&CK page ↗

Privilege Escalation TA0004
T1055Process Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

overlap matrix · ATT&CK page ↗

Stealth TA0005
T1055Process Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

overlap matrix · ATT&CK page ↗

T1070Indicator Removal

Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.

overlap matrix · ATT&CK page ↗

T1574.001Hijack Execution Flow: DLL

Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.

overlap matrix · ATT&CK page ↗

Defense Impairment TA0112
T1685Disable or Modify Tools

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.

overlap matrix · ATT&CK page ↗

Discovery TA0007
T1082System Information Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from Local Storage Discovery which is an adversary's discovery of local drive, disks and/or volumes.

overlap matrix · ATT&CK page ↗

T1087.002Account Discovery: Domain Account

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.

overlap matrix · ATT&CK page ↗

Command and Control TA0011
T1105Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

overlap matrix · ATT&CK page ↗

T1572Protocol Tunneling

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.