HelloInjector/HelloProxy malware activity in ViPNet update abuse
Malware Activity
Updated: 19.07.2026 17:23
· First: 19.07.2026 17:23
· 📰 1 src / 1 articles
· H score: 23
The HelloInjector loader is running HelloProxy in memory and pulling additional modules from a C2 server, enabling expanded control over Windows hosts. The malware is delivered as wtsapi32.dll through the ViPNet Update System and sideloaded by itcsrvup64.exe at startup. It injects into svchost.exe to gain elevated privileges and persistence across reboots. The activity is part of HelloNet, which is targeting Russian organizations across multiple sectors.