minute read
As we were looking into a cyberincident in April 2025, we uncovered a rather sophisticated backdoor. It targeted various large organizations in Russia, spanning the government, finance, and industrial sectors. While our investigation into the attack associated with the backdoor is still ongoing, we believe it is crucial to share our preliminary findings with the community. This will enable organizations that may be at risk of infection from the backdoor to take swift action to protect themselves from this threat.
Impersonating a ViPNet update
Our investigation revealed that the backdoor targets computers connected to ViPNet networks. ViPNet is a software suite for creating secure networks. We determined that the backdoor was distributed inside LZH archives with a structure typical of updates for the software product in question. These archives contained the following files:
- action.inf: a text file
- lumpdiag.exe: a legitimate executable
- msinfo32.exe: a small malicious executable
- an encrypted file containing the payload (the name varies between archives)
The ViPNet developer confirmed targeted attacks against some of their users and issued security updates and recommendations for customers (page in Russian).
Malware execution
After analyzing the contents of the archive, we found that the action.inf text file contained an action to be executed by the ViPNet update service component (itcsrvup64.exe) when processing the archive:
[ACTION] action=extra_command extra_command=lumpdiag.exe --msconfig |
As evident from the file content above, when processing extra_command, the update service launches lumpdiag.exe with an --msconfig argument. We mentioned earlier that this is a legitimate file. However, it is susceptible to the path substitution technique. This allows attackers to execute the malicious file msinfo32.exe while lumpdiag.exe is running.
Downloadable payload
The msinfo32.exe file is a loader that reads the encrypted payload file. The loader processes the contents of the file to load the backdoor into memory. This backdoor is versatile: it can connect to a C2 server via TCP, allowing the attacker to steal files from infected computers and launch additional malicious components, among other things. Kaspersky solutions detect this threat as HEUR:Trojan.Win32.Loader.gen.
Multi-layered security is key to preventing sophisticated cyberattacks
The complexity of cyberattacks carried out by APT groups has significantly increased over the years. Attackers can target organizations in highly unusual and unexpected ways. To prevent sophisticated targeted attacks, it is essential to employ multi-layered, defense-in-depth security against cyberthreats. This is the type of security architecture implemented in our Kaspersky NEXT product line, capable of protecting businesses from attacks similar to the one described in this article.
Indicators of compromise
The full list of indicators of compromise is available to subscribers of our Kaspersky Threat Intelligence service.
Hashes of msinfo32.exe
018AD336474B9E54E1BD0E9528CA4DB5
28AC759E6662A4B4BE3E5BA7CFB62204
77DA0829858178CCFC2C0A5313E327C1
A5B31B22E41100EB9D0B9A27B9B2D8EF
E6DB606FA2B7E9D58340DF14F65664B8
Paths to malicious files
%TEMP%\update_tmp*\update\msinfo32.exe %PROGRAMFILES%\common files\infotecs\update_tmp\driv_*\*\msinfo32.exe %PROGRAMFILESx86%\InfoTeCS\ViPNet Coordinator\ccc\update_tmp\DRIV_FSA\*\msinfo32.exe |
