ViPNet Client (InfoTeCS)

Incident Summary

ViPNet updates mimicked to deploy backdoor.

A sophisticated backdoor was distributed disguised as updates for ViPNet, a secure networking software suite by InfoTeCS used in Russia. Attackers crafted update archives that, when processed by the ViPNet update service component, would execute a malicious loader and deploy a versatile backdoor.

Date: 2025-04-01 to 2025-04-22
Category: Commercial
Target Surface: Distribution
Insertion Phase: distribution
Impact: Backdoor
Cause: Compromised update package

What Was Affected

Package ViPNet Client (InfoTeCS)

LanguageC++

ComponentApplication

Artifact typebinary archive

Domain typevendor

Domain N/A

Compromised Versions

ViPNet Client versions susceptible to this update package manipulation

Incident Context

Motive: Espionage
Attribution: APT group
Transitive: No
Observed Duration: 21 days

Evidence

Compromised Artifacts

Malicious LZH update archives for ViPNet software, designed to be processed by the ViPNet update service.

Current Artifacts and Analysis

securelist.com/new-backdoor-mimics-security-software-update/116246
%TEMP%\update_tmp*\update\msinfo32.exe
%PROGRAMFILES%\common files\infotecs\update_tmp\driv_*\*\msinfo32.exe
%PROGRAMFILESx86%\InfoTeCS\ViPNet Coordinator\ccc\update_tmp\DRIV_FSA\*\msinfo32.exe

Indicators and Changes

Hashes

md5:018AD336474B9E54E1BD0E9528CA4DB5
md5:28AC759E6662A4B4BE3E5BA7CFB62204
md5:77DA0829858178CCFC2C0A5313E327C1
md5:A5B31B22E41100EB9D0B9A27B9B2D8EF
md5:E6DB606FA2B7E9D58340DF14F65664B8

Source Data

Source record: proprietary/vipnet/meta.yaml