Jun 9, 2026
C2 Hosts: 2
ServHelper
ServHelper is written in Delphi and according to ProofPoint best classified as a backdoor.
ProofPoint noticed two distinct variant - "tunnel" and "downloader" (citation):
"The 'tunnel' variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to 'hijack' legitimate user accounts or their web browser profiles and use them as they see fit. The 'downloader' variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader."
Linked Threat Actors
TA505
C2 Infrastructure
Hosting/VPS 100%
Last 7 days
| Date | C2 Hosts |
|---|---|
| Jun 9, 2026 | 2 |
Further Reading
blog.intel471.com opens in a new tab
blog.intel471.com
blog.talosintelligence.com opens in a new tab
blog.talosintelligence.com
blog.trendmicro.com opens in a new tab
blog.trendmicro.com
e.cyberint.com opens in a new tab
e.cyberint.com
insights.oem.avira.com opens in a new tab
insights.oem.avira.com
intel471.com opens in a new tab
intel471.com
medium.com opens in a new tab
medium.com
prodaft.com opens in a new tab
prodaft.com
securitynews.sonicwall.com opens in a new tab
securitynews.sonicwall.com
threatrecon.nshc.net opens in a new tab
threatrecon.nshc.net
ti.360.net opens in a new tab
ti.360.net
ti.qianxin.com opens in a new tab
ti.qianxin.com
binarydefense.com opens in a new tab
binarydefense.com
blueliv.com opens in a new tab
blueliv.com
cert.ssi.gouv.fr opens in a new tab
cert.ssi.gouv.fr
cert.ssi.gouv.fr opens in a new tab
cert.ssi.gouv.fr
cybereason.com opens in a new tab
cybereason.com
deepinstinct.com opens in a new tab
deepinstinct.com
gdatasoftware.com opens in a new tab
gdatasoftware.com
prodaft.com opens in a new tab
prodaft.com
proofpoint.com opens in a new tab
proofpoint.com
ptsecurity.com opens in a new tab
ptsecurity.com
secureworks.com opens in a new tab
secureworks.com
trendmicro.com opens in a new tab
trendmicro.com