Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 16:15:07 UTC
Home > List all groups > List all tools > List all groups using tool ServHelper
 Tool: ServHelper
Names ServHelper
Category Malware
Type Backdoor, Credential stealer, Downloader
Description
ServHelper is written in Delphi and according to ProofPoint best classified as a backdoor.
ProofPoint noticed two distinct variant - 'tunnel' and 'downloader' (citation):
'The 'tunnel' variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected
contains functionality for the threat actor to 'hijack' legitimate user accounts or their web browser profiles and use them as they see
downloader.'
Information
MITRE ATT&CK Malpedia Last change to this tool card: 14 May 2020
Download this tool card in JSON format
All groups using tool ServHelper
Changed Name Country Observed
APT groups
 TA505, Graceful Spider, Gold Evergreen 2006-Nov 2022
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8e84ad65-ea4e-40a0-9598-e3a8402c012c
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8e84ad65-ea4e-40a0-9598-e3a8402c012c
Page 1 of 1