In short: On 16 July 2026, Kaspersky GReAT researchers exposed HelloNet, an active APT campaign that plants spyware through the update system of ViPNet, a widely used secure-network product. The targets are Russian organisations in government, industry, energy, transport, logistics and education. It is a textbook supply-chain attack, where a trusted update becomes a channel for surveillance.
What happened
On 16 July 2026, the Kaspersky GReAT threat-research team reported an active targeted campaign it named HelloNet. The attack has been running since at least May 2026 and was still active at publication. Its victims are large Russian organisations across the government, industrial, energy, transport, logistics and education sectors. What sets the campaign apart is that its malicious modules are launched through the update system of ViPNet — popular software for building secure networks.
This is not the first incident of its kind: back in 2025 researchers found a sophisticated backdoor disguised as ViPNet updates, and dozens of Russian organisations were hit. For why timely updates and patches still matter, see our report on Microsoft's record July Patch Tuesday.
How attackers abuse ViPNet updates
According to Kaspersky, the attackers drop a malicious wtsapi32.dll library into the ViPNet update-system directory and exploit DLL sideloading: a legitimate ViPNet component that runs at system start-up loads the substituted library itself. The malicious code therefore executes with the trust of "native" software and survives reboots.
A set of previously unknown modules then takes over: HelloInjector injects code into system processes, HelloProxy proxies traffic and loads further components, HelloBackdoor (written in Rust) opens a control channel and can upload and download files, HelloExecutor runs commands, and HelloCleaner wipes ViPNet logs to cover the tracks. A low-confidence technical assessment points to a possible link with an unknown Chinese-speaking group, but the researchers do not rule out false flags.
Why supply-chain attacks are so dangerous
A supply-chain attack does not strike your password directly — it strikes your trust in software you already use. An update, the very thing security best practice tells you to install as fast as possible, becomes the way in. That is what makes such campaigns hard to spot: the malicious code arrives through a legitimate channel, carrying the reputation of a trusted product, so neither antivirus nor user expects trouble from a "native" update.
The irony is that the target here was security software itself. Compromising a protection tool hands the attacker deep access and a ready-made disguise at once. This is a broader 2026 trend: adversaries increasingly aim not at the end user head-on, but at suppliers and updates, to reach many organisations in one move.
What this means for your data
HelloNet is a targeted attack on organisations, not on personal phones, and it poses no direct threat to most individuals. Yet the fallout touches everyone: when the infrastructure of a government body, energy company or university is breached, it is citizens' personal data that leaks — the same data that later fuels the underground market and targeted phishing. The more such databases circulate, the more convincing the "your bank" or "your clinic" messages become.
The second lesson is personal. The logic that "a trusted update can turn out to be malicious" holds at home too: fake updates, installers and "patches" from unofficial sources are among the most common ways to infect a personal device. Hence a simple rule: install software and its updates only from official stores and developer sites.
How to protect your data
Install updates only from official sources. The App Store, Google Play, the developer's own site — and no "boosters," "activators" or APKs from random forums. Our guide on how to download a VPN safely covers the principles, and they apply to any software.
Build defence in depth. No single tool covers everything. Unique passwords in a password manager, two-factor authentication and the habit of double-checking unexpected messages limit the damage even when a leak happens somewhere.
Encrypt your connection on untrusted networks. A VPN will not stop a targeted attack on your employer's infrastructure — and it is fair to say so. But it does protect your side of the connection: on public or shared Wi-Fi it routes your traffic through an encrypted tunnel so others on the same network cannot intercept your logins and sessions. It is one layer alongside good update hygiene. For the corporate angle, see our piece on VPN for business. LiMP VPN is a no-logs service for iOS and Android — see the features and plans, and more privacy news on our blog.
Sources
This report is based on Kaspersky GReAT findings: the analysis on Securelist, together with coverage by CNews and Anti-Malware.ru, July 2026.
