As we were looking into a cyberincident in April 2025, we uncovered a rather sophisticated backdoor. It targeted various large organizations in Russia, spanning the government, finance, and industrial sectors. While our investigation into the attack associated with the backdoor is still ongoing, we believe it is crucial to share our preliminary findings with the community. This will enable organizations that may be at risk of infection from the backdoor to take swift action to protect themselves from this threat.
Impersonating a ViPNet update
Our investigation revealed that the backdoor targets computers connected to ViPNet networks. ViPNet is a software suite for creating secure networks. We determined that the backdoor was distributed inside LZH archives with a structure typical of updates for the software product in question. These archives contained the following files:
action.inf: a text file
lumpdiag.exe: a legitimate executable
msinfo32.exe: a small malicious executable
an encrypted file containing the payload (the name varies between archives)
The ViPNet developer confirmed targeted attacks against some of their users and issued security updates and recommendations for customers (page in Russian).
Malware execution
After analyzing the contents of the archive, we found that the action.inf text file contained an action to be executed by the ViPNet update service component (itcsrvup64.exe) when processing the archive:
[ACTION]
action=extra_command
extra_command=lumpdiag.exe --msconfig
As evident from the file content above, when processing extra_command, the update service launches lumpdiag.exe with an
--msconfig argument. We mentioned earlier that this is a legitimate file. However, it is susceptible to the path substitution technique. This allows attackers to execute the malicious file msinfo32.exe ..
Support the originator by clicking the read the rest link below.
