A new, highly advanced backdoor has been uncovered targeting several major organizations across Russia’s government, finance, and industrial sectors, highlighting an escalating threat landscape for critical infrastructure.
The malware campaign, discovered during an ongoing investigation into a cyberincident in April 2025, demonstrates a refined approach, with the attackers deploying their payload through what appears to be legitimate software updates for ViPNet a widely used suite for establishing secure networks.
Backdoor Delivered through Impersonated ViPNet Update Archives
At the core of the attack is a deceptive distribution mechanism: the backdoor is packaged within LZH archive files that closely mimic the structure of authentic ViPNet software updates.
Each archive typically contains a mix of legitimate and malicious components, including a configuration file (action.inf), a valid executable (lumpdiag.exe), the actual malicious loader (msinfo32.exe), and an encrypted payload with a variable name.
Through analysis, investigators found that the action.inf file is crafted to instruct ViPNet’s update service (itcsrvup64.exe) to execute lumpdiag.exe with a specific –msconfig argument.
While lumpdiag.exe itself is legitimate, attackers exploit the path substitution technique, enabling the malicious msinfo32.exe to run concurrently.
This loader then reads and decrypts the payload file, ultimately injecting the backdoor into system memory.
Payload Capabilities and Ongoing Threat
Once established, the backdoor is versatile and robust, capable of connecting to a command-and-control (C2) server via TCP.
This connectivity allows attackers to exfiltrate files, deploy additional malware modules, and maintain persistent access to compromised systems, posing a significant risk to both organizational data and operational integrity.
The msinfo32.exe component is detected by Kaspersky’s cybersecurity solutions as HEUR:Trojan.Win32.Loader.gen, underscoring the evolving nature of loader-based threats.
In response to the incident, the developer of ViPNet has verified targeted attacks against some of their customers and has released security updates and guidelines to mitigate further risk.
However, the sophistication of this campaign reflects broader trends in advanced persistent threat (APT) operations, where multi-stage, deceptive attack chains are increasingly common.
According to the Kaspersky Report, this incident serves as another reminder of the importance of multi-layered, defense-in-depth cybersecurity strategies.
Modern APT groups employ highly unusual and unpredictable vectors, making traditional perimeter-based defenses inadequate on their own.
Security vendors stress the need for comprehensive, proactive monitoring and threat intelligence integration, as seen in products like Kaspersky NEXT, which are explicitly designed to counter and detect complex, multi-stage attacks.
While a full list of indicators of compromise is reserved for Kaspersky Threat Intelligence service subscribers, several hashes related to msinfo32.exe and key file paths have been publicly disclosed to assist organizations in hunting for signs of infection.
Security teams are urged to monitor for the presence of msinfo32.exe in temporary and program files directories as outlined, and to stay informed on further updates as the investigation continues.
As investigations progress, information sharing such as this remains essential for enabling at-risk organizations to take swift and effective action against emerging threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
