Back to Intelligence

HelloNet APT & Daxin Rootkit Resurgence: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
July 17, 2026
6 min read

Active APT campaigns HelloNet (Russia) and Daxin (Taiwan) exploit software updates and Winlogon via DLL sideloading. High urgency.

Threat Summary

Recent OTX pulses indicate a surge in sophisticated DLL sideloading techniques employed by state-aligned adversaries. The HelloNet campaign targets Russian entities using a software supply chain attack against the ViPNet update system, deploying a modular suite of Rust-based malware (HelloInjector, HelloProxy, HelloBackdoor). Simultaneously, the Daxin rootkit, associated with China-linked espionage, has resurfaced in Taiwan targeting manufacturing and tech sectors, utilizing a novel persistence mechanism via Trojanized keyboard-layout DLLs loaded by Winlogon. Additionally, a crimeware campaign delivering NetSupport RMM via MediaFire demonstrates the continued abuse of Python side-loading for initial access.

Threat Actor / Malware Profile

HelloNet Campaign (Suspected Chinese APT)

  • Malware Families: HelloInjector, HelloProxy, HelloExecutor, HelloCleaner, HelloBackdoor.
  • Distribution: Supply chain compromise via ViPNet (Russian VPN software) update mechanism.
  • Payload Behavior: Modular Rust-based malware suite. HelloInjector acts as a loader, HelloProxy facilitates network tunneling and payload delivery, and HelloBackdoor provides remote access.
  • Persistence: DLL sideloading. Adversaries place a malicious wtsapi32.dll within the ViPNet directory, forcing the legitimate application to load the malicious code upon execution.
  • C2 Communication: Uses HelloProxy to obfuscate traffic.

Daxin & Stupig (China-Linked Espionage)

  • Malware Families: Backdoor.Daxin, Backdoor.Stupig.
  • Distribution: Unknown (likely spear-phishing or credential theft).
  • Payload Behavior: Daxin is a kernel-mode rootkit capable of intercepting network traffic. Stupig is a new backdoor variant.
  • Persistence: Winlogon persistence. Uses a Trojanized keyboard-layout DLL loaded by winlogon.exe, allowing execution with System privileges during the login screen or session initialization.
  • Anti-Analysis: Kernel-mode capabilities make detection difficult for user-mode AV solutions.

NetSupport RMM Campaign (Crimeware)

  • Malware Families: NetSupport RMM (Legitimate RMM tool abused).
  • Distribution: Email delivery directing users to a MediaFire ZIP file containing Setu.exe.
  • Payload Behavior: Process injection into dllhost.exe.
  • Persistence: Scheduled Tasks.
  • Evasion: Python side-loading via a padded 400MB python37.dll to bypass heuristic scanning.

IOC Analysis

The provided pulses consist of:

  • File Hashes: MD5 (HelloNet) and SHA256 (Daxin). SOC teams should block these hashes on endpoints and scan filesystems retroactively.
  • Network Indicators: Domains (bsc.blockrazor.xyz, xn--fiqq24b9hejs1c.clickvector.tech) and IP (138.124.186.2) associated with the NetSupport C2. These should be blocked at the perimeter and added to DNS watchlists.
  • Behavioral Indicators: IOCs are heavily reliant on file paths (ViPNet directories) and process behavior (Winlogon loading non-standard DLLs).

Detection Engineering

YAML
---
title: Potential HelloNet DLL Sideloading via ViPNet
id: 3c8f4c12-7b89-4a5d-9f6e-123456789abc
description: Detects potential HelloNet activity involving the sideloading of wtsapi32.dll within ViPNet directories.
status: experimental
author: Security Arsenal
date: 2026/07/17
references:
    - https://securelist.com/tr/hellonet-vipnet/120700/
tags:
    - attack.defense_evasion
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\wtsapi32.dll'
        Image|contains: 'ViPNet'
    condition: selection
falsepositives:
    - Legitimate ViPNet updates (rare)
level: high
---
title: Daxin Rootkit Persistence via Winlogon DLL Load
id: 5d9g5e23-8c90-5b6e-0g7f-234567890bcd
description: Detects suspicious DLLs loaded by winlogon.exe, typical of Daxin/Stupig keyboard layout persistence or similar rootkits.
status: experimental
author: Security Arsenal
date: 2026/07/17
references:
    - https://www.security.com/blog-post/daxin-returns-stupig
tags:
    - attack.persistence
    - attack.t1014
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\winlogon.exe'
        ImageLoaded|contains: '\System32\'
        ImageLoaded|endswith: '.dll'
        Signed: false
    filter:
        ImageLoaded|contains:
            - '\System32\kbdr'
            - '\System32\KBD'
    condition: selection and not filter
falsepositives:
    - Uncommon but legitimate keyboard layout updates
level: critical
---
title: NetSupport RMM Python Side-Loading
id: 6e0h6f34-9d01-6c7f-1h8g-345678901cde
description: Detects the execution of Setu.exe loading a suspicious python37.dll, indicative of the NetSupport RMM campaign.
status: experimental
author: Security Arsenal
date: 2026/07/17
references:
    - https://x.com/Kostastsale/status/2066545189137629302
tags:
    - attack.defense_evasion
    - attack.t1574.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\Setu.exe'
        ImageLoaded|endswith: '\python37.dll'
    condition: selection
falsepositives:
    - Legitimate Python application installers
level: high


kql
// Hunt for HelloNet related processes and NetSupport C2 connections
DeviceNetworkEvents
| where RemotePort == 7000 or RemoteIP == "138.124.186.2" 
   or RemoteUrl in ("bsc.blockrazor.xyz", "xn--fiqq24b9hejs1c.clickvector.tech")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| union (
    DeviceProcessEvents
    | where ProcessVersionInfoCompanyName contains "Infotecs" // ViPNet Vendor
       or ProcessCommandLine contains "wtsapi32.dll"
       or FileName == "Setu.exe"
)
| order by Timestamp desc


powershell
# IOC Hunt Script for HelloNet and Daxin Persistence
Write-Host "Starting Hunt for HelloNet and Daxin Artifacts..." -ForegroundColor Cyan

# 1. Check for HelloNet wtsapi32.dll in ViPNet directories
$vipnetPaths = @("${env:ProgramFiles}\Infotecs", "${env:ProgramFiles(x86)}\Infotecs", "${env:LocalAppData}\Infotecs")
$maliciousDll = "wtsapi32.dll"

foreach ($path in $vipnetPaths) {
    if (Test-Path $path) {
        Write-Host "Checking ViPNet Path: $path" -ForegroundColor Yellow
        Get-ChildItem -Path $path -Recurse -Filter $maliciousDll -ErrorAction SilentlyContinue | ForEach-Object {
            Write-Host "ALERT: Found $maliciousDll at $($_.FullName)" -ForegroundColor Red
        }
    }
}

# 2. Check for Suspicious Keyboard Layouts (Daxin Indicator)
$klmPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Keyboard Layouts"
if (Test-Path $klmPath) {
    Write-Host "Checking Keyboard Layouts..." -ForegroundColor Yellow
    Get-ChildItem $klmPath | ForEach-Object {
        $layoutFile = (Get-ItemProperty "$($_.PSPath)\")."Layout File"
        if ($layoutFile -and $layoutFile -notmatch "^kbd.*\.dll$") {
            Write-Host "SUSPICIOUS: Non-standard keyboard layout file detected: $layoutFile in Key $($_.PSChildName)" -ForegroundColor Red
        }
    }
}

# 3. Check for NetSupport Scheduled Tasks
Write-Host "Checking Scheduled Tasks for NetSupport/RMM persistence..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*python*" -or $_.Actions.Execute -like "*netsupport*" -or $_.TaskName -like "*python*" } | ForEach-Object {
    Write-Host "SUSPICIOUS Task Found: $($_.TaskName)" -ForegroundColor Red
    Write-Host "Command: $($_.Actions.Execute)" -ForegroundColor DarkGray
}

Write-Host "Hunt Complete." -ForegroundColor Green

Response Priorities

Immediate:

  • Block all listed network IOCs (IPs and Domains) at the firewall and proxy level.
  • Hunt for the specific MD5 hashes associated with HelloNet in the ViPNet installation directories.
  • Isolate any endpoints with alerts for winlogon.exe loading unsigned DLLs.

24h:

  • Verify the integrity of ViPNet software installations; if compromised, wipe and rebuild from trusted media.
  • Investigate scheduled tasks created around the time of suspected infection for persistence mechanisms related to the Python/NetSupport campaign.
  • Perform credential audits on systems where process injection (dllhost.exe) was observed.

1 week:

  • Implement application control (AppLocker) to restrict unsigned DLL loads in sensitive directories (e.g., ViPNet).
  • Update patch management policies to verify signatures for software updates, specifically for VPN/client software.
  • Conduct a review of Remote Monitoring and Management (RMM) tool usage to ensure no unauthorized NetSupport instances exist.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarehellonetdaxindll-sideloadingaptnetsupport-rmm

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.