Cybersecurity researchers discovered Evil Corp, or TA505, hackers using their own control panel, dubbed TeslaGun, to drop a backdoor codenamed ServHelper. The financially motivated group is known for changing its malware attack strategies and adopting new technologies.

Intended targets

  • The threat actors have carried out mass phishing campaigns against 8,160 targets since July 2020.
  • TA505 is actively targeting online banking or retail users, including their crypto wallets and e-commerce accounts.
  • A majority of those victims are located in the U.S. (3,667), followed by Russia (647), Brazil (483), Romania (444), and the U.K (359).

Diving into details

The ServHelper backdoor, once downloaded, sets up reverse SSH tunnels that allow attackers to access the infected system via RDP.
  • The TeslaGun control panel is used by the hackers to manage the ServHelper backdoor, working as a C2 framework to seize the compromised machines.
  • It enables the attackers to issue a single command to all victim devices or configure the panel such that a predefined command is automatically run when a new victim is added to the panel.
  • The panel has a pragmatic, minimalist design, and the main dashboard only contains infected victim data, a comment section for each victim, and options for filtering victim records.

Other than the panel, the threat actors are also known to employ a remote desktop protocol tool to access the infected systems via RDP tunnels.


For the past three years, the ServHelper backdoor development team has kept the malware up to date by incorporating new features to make it more resistant to the organization's security panel. Data exfiltration attacks by the threat group are also likely to target the health sector. The threat looms large as threat actors continue to use tried and tested methods to disrupt high-end organizations.
Cyware Publisher