The malware, which masquerades as legitimate updates for ViPNet secure networking software, enables attackers to steal sensitive data and deploy additional malicious components to compromised systems. The attack leverages a path substitution technique—when the ViPNet update service processes the archive, it executes the legitimate file with specific parameters, which then triggers the execution of the malicious msinfo32.exe file. Security researchers believe sharing these preliminary findings will help at-risk organizations take swift protective measures against this emerging threat that exploits trusted update mechanisms to penetrate secure networks. Cybersecurity experts have determined that the malware is distributed inside LZH archives structured to mimic legitimate ViPNet updates, containing a mix of legitimate and malicious files. “This attack demonstrates the increasing sophistication of threat actors who exploit trusted software update mechanisms,” said a senior cybersecurity analyst familiar with the investigation. Once active, the backdoor establishes connections with command and control (C2) servers via TCP protocols, enabling attackers to exfiltrate files from infected computers and execute additional malicious components. The malicious archives contain several components: an action.inf text file, a legitimate lumpdiag.exe executable, a malicious msinfo32.exe executable, and an encrypted payload file with varying names across different archives. A sophisticated backdoor targeting various large Russian organizations across government, finance, and industrial sectors has been uncovered during a cybersecurity investigation in April 2025. Recent reports have identified new advanced persistent threat (APT) groups actively targeting government entities using sophisticated techniques that leverage cloud services and public platforms as command and control infrastructure. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The backdoor specifically targets computers connected to ViPNet networks, a popular software suite used for creating secure networks in Russia. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. ViPNet’s developer has confirmed the targeted attacks against their users and has issued security updates and recommendations to mitigate the threat.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 23 Apr 2025 08:20:24 +0000