Proprietary 2025-04-01 · 21 days ·Backdoor, Data Theft, Remote Access

ViPNet updates mimicked to deploy backdoor

Targeted LZH archives imitated ViPNet security-network updates for Russian organizations in government, finance, and industry.

Story

Kaspersky published the Russian disclosure on April 17, 2025 after finding the backdoor during an incident response. The victims were large Russian organizations connected to ViPNet networks, including government, finance, and industrial targets.

This was not described as a public vendor update-server compromise. InfoTeCS confirmed targeted attacks against some users and said the vector required access to a ViPNet node with operating-system administrator rights, deep knowledge of ViPNet network mechanics, and a signing key for a valid certificate in the organization's internal trust space.

The attacker then misused the ViPNet mftp transport protocol to imitate software-update envelopes. The malicious LZH archives looked like ViPNet update packages: each contained action.inf, a legitimate lumpdiag.exe, a small malicious msinfo32.exe, and an encrypted payload file whose name varied by archive.

The update service component itcsrvup64.exe processed action.inf and executed lumpdiag.exe --msconfig. The legitimate executable was susceptible to path substitution, so the attacker-controlled msinfo32.exe ran in its context, decrypted the payload, and mapped the backdoor into memory.

The backdoor connected to command-and-control over TCP, could steal files, and could launch additional malicious components. InfoTeCS said the target security functions of ViPNet products were not affected, issued updates for ViPNet Client 4 and ViPNet Coordinator HW4, and published customer checks for msinfo32.exe, event ID 4688 process creation, and suspicious ViPNet-node traffic.

Affected Artifacts

ViPNet Client (InfoTeCS)

· infotecs.ru · Binary Archive

Observed: 2025-04-01 to 2025-04-22
Compromised Versions: Unknown
Fixed: Not listed
Hashes: md5:018AD336474B9E54E1BD0E9528CA4DB5

md5:28AC759E6662A4B4BE3E5BA7CFB62204

md5:77DA0829858178CCFC2C0A5313E327C1

+2 more
Evidence: mirror: securelist.com/new-backdoor-mimics-security-software-update/116246, file: action.inf, file: lumpdiag.exe, file: msinfo32.exe , +8 more

Kaspersky's Russian disclosure was published on 2025-04-17 and updated on 2025-04-18 after InfoTeCS confirmed targeted attacks against some users; the English Securelist article followed on 2025-04-22.
InfoTeCS stated that certified fourth-generation products operated according to documentation, fifth-generation products, and intermediate 4U products were not susceptible to this attack.
The modeled supply-chain boundary is the forged ViPNet update package accepted inside victim networks, not a confirmed compromise of the public InfoTeCS update service.

Incident Context

Motive: Espionage
Attribution: Group
Cause: Compromised Update Package
Transitive: No
Actor: APT group

External References

Russian organizations targeted by backdoor masquerading as ViPNet software updatessecurelist.ru
Russian organizations targeted by backdoor masquerading as secure networking software updatessecurelist.com
Applicability of malware to ViPNet productsinfotecs.ru
New Malware Masquerades as Networking Software Updatescyberpress.org

Source record: proprietary/vipnet/meta.yaml