A sophisticated backdoor targeting various large Russian organizations across government, finance, and industrial sectors has been uncovered during a cybersecurity investigation in April 2025.
The malware, which masquerades as legitimate updates for ViPNet secure networking software, enables attackers to steal sensitive data and deploy additional malicious components to compromised systems.
Advanced Threat Landscape
The backdoor specifically targets computers connected to ViPNet networks, a popular software suite used for creating secure networks in Russia.
.png
)
Cybersecurity experts have determined that the malware is distributed inside LZH archives structured to mimic legitimate ViPNet updates, containing a mix of legitimate and malicious files.
“This attack demonstrates the increasing sophistication of threat actors who exploit trusted software update mechanisms,” said a senior cybersecurity analyst familiar with the investigation.
The malicious archives contain several components: an action.inf text file, a legitimate lumpdiag.exe executable, a malicious msinfo32.exe executable, and an encrypted payload file with varying names across different archives.
The attack leverages a path substitution technique—when the ViPNet update service processes the archive, it executes the legitimate file with specific parameters, which then triggers the execution of the malicious msinfo32.exe file.
Once active, the backdoor establishes connections with command and control (C2) servers via TCP protocols, enabling attackers to exfiltrate files from infected computers and execute additional malicious components.
This discovery comes amid increasing cyber espionage activities. Recent reports have identified new advanced persistent threat (APT) groups actively targeting government entities using sophisticated techniques that leverage cloud services and public platforms as command and control infrastructure.
Similar patterns of state-sponsored hacking have been observed elsewhere, with cyberattacks linked to broader campaigns against critical institutions.
ViPNet’s developer has confirmed the targeted attacks against their users and has issued security updates and recommendations to mitigate the threat.
Cybersecurity experts emphasize that as APT groups’ tactics become increasingly complex, organizations must implement multi-layered defense strategies.
Organizations using ViPNet networking solutions are strongly advised to:
- Verify the authenticity of updates before installation.
- Implement strict access controls.
- Regularly monitor network traffic for suspicious activities.
- Ensure security solutions detect threats like HEUR:Trojan.Win32.Loader.gen.
Security researchers believe sharing these preliminary findings will help at-risk organizations take swift protective measures against this emerging threat that exploits trusted update mechanisms to penetrate secure networks.
Indicators of compromise
SHA256 hashes
018AD336474B9E54E1BD0E9528CA4DB5
28AC759E6662A4B4BE3E5BA7CFB62204
77DA0829858178CCFC2C0A5313E327C1
A5B31B22E41100EB9D0B9A27B9B2D8EF
E6DB606FA2B7E9D58340DF14F65664B8
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
