Sophisticated backdoor mimicking secure networking software updates

April 22, 2025, 10:50 p.m.

Description

A sophisticated backdoor targeting Russian organizations in government, finance, and industry sectors was discovered masquerading as updates for ViPNet secure networking software. The malware, distributed in LZH archives, exploits a path substitution technique to execute a malicious loader that deploys a versatile backdoor. This backdoor can connect to a C2 server, steal files, and launch additional malicious components. The attack highlights the increasing complexity of APT group tactics and emphasizes the need for multi-layered security defenses to protect against such sophisticated threats.

External References

https://securelist.com/new-backdoor-mimics-security-software-update/116246/
https://otx.alienvault.com/pulse/6807d9bd776ee82a5a8a7112
Tags
backdoor
apt
russia
payload
c2 server
software updates
2025-04-22
targeted attack
secure networking
heur:trojan.win32.loader.gen
path substitution
vipnet

Date

  • Created: April 22, 2025, 6:02 p.m.
  • Published: April 22, 2025, 6:02 p.m.
  • Modified: April 22, 2025, 10:50 p.m.

Attack Patterns

  • HEUR:Trojan.Win32.Loader.gen

Additional Informations

  • Finance
  • Government
  • Russian Federation