S0382: ServHelper
ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.[1]
Analyst context for executives and security teams
ServHelper is a Windows backdoor, typically delivered as a DLL, that ATT&CK links to a broad set of behaviors spanning execution, persistence, discovery, command and control, file transfer, account manipulation, and RDP-based lateral movement. For leaders, the practical issue is not just the malware name; it is whether Windows endpoint, identity, RDP, and web-traffic monitoring can prove what happened after a backdoor lands.
Executive priority
Treat ServHelper as a readiness test for post-compromise visibility on Windows systems. Priority questions include: can the organization detect suspicious DLL execution, new or modified accounts/groups, scheduled tasks, Run key persistence, PowerShell/cmd activity, RDP use, and outbound web-based command-and-control patterns? Because ATT&CK provides no official detection text for this object, assurance should come from validated telemetry, tested incident response procedures, and audit-ready evidence rather than malware-specific promises.
Technical view
SOC and IR teams should validate coverage around the ATT&CK relationships: Rundll32/DLL execution, PowerShell and Windows command shell activity, scheduled tasks, Registry Run Keys/Startup Folder persistence, local account creation, group membership changes, masqueraded account names, RDP logons, system/user discovery, file deletion, ingress tool transfer, and web-protocol C2 with possible asymmetric cryptography. The malware is documented as Windows and DLL-based, so endpoint process, module, registry, task, account, and authentication telemetry are central.
Likely telemetry
- Windows process creation events for rundll32.exe, powershell.exe, cmd.exe, schtasks.exe, and account/group management commands
- DLL/module load or file creation telemetry for newly introduced DLL payloads
- Windows Task Scheduler creation/modification events
- Registry monitoring for Run key and Startup Folder persistence locations
- Local account creation and local/domain group membership change logs
Detection direction
- Build behavior-based detections around the related ATT&CK techniques rather than relying on a ServHelper-specific signature, since official ATT&CK detection guidance is not provided.
- Tune Rundll32 detections for unusual DLL paths, recently written DLLs, abnormal parent processes, and command lines inconsistent with normal administration.
- Correlate persistence indicators such as scheduled tasks and Run keys with recent DLL writes, shell activity, or suspicious outbound web traffic.
- Review account and group changes for newly created local accounts, unexpected privilege assignment, or names that resemble legitimate accounts.
- Baseline legitimate RDP usage and alert on unusual account, source, destination, or time-of-day patterns, especially after suspicious endpoint execution.
Mitigation priorities
- Prioritize least privilege and administrative account governance to reduce the value of account creation, group modification, and RDP access.
- Restrict and monitor RDP exposure and require strong authentication controls for remote access where applicable.
- Harden Windows execution paths by monitoring or controlling DLL execution through trusted utilities such as rundll32.exe.
- Enable and retain endpoint, PowerShell, registry, scheduled task, account, and authentication logs needed to reconstruct activity.
- Review persistence locations such as scheduled tasks, Run keys, and Startup folders as part of incident response playbooks and routine hygiene.
Analyst notes and limits
ATT&CK identifies ServHelper as a Delphi-written backdoor first observed in late 2018 and typically delivered as a DLL. ATT&CK also relates it to TA505 and multiple techniques across execution, persistence, discovery, defense evasion/stealth, command and control, and lateral movement. This take uses those relationships to frame defensive validation, not to assert current activity or environment-specific exposure.
Official ATT&CK detection guidance is not provided for this malware object. The supplied object specifies Windows as the platform, while several related techniques have broader ATT&CK platform lists; local validation should focus first on Windows telemetry for this malware. No active exploitation status, customer impact, indicators of compromise, or guaranteed detection coverage is supplied.
ServHelper
ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | ServHelper can execute shell commands against cmd.CitationProofpoint TA505 Jan 2019CitationDeep Instinct TA505 Apr 2019 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | ServHelper may set up a reverse SSH tunnel to give the attacker access to services running on the victim, such as RDP.CitationProofpoint TA505 Jan 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | ServHelper uses HTTP for C2.CitationProofpoint TA505 Jan 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | ServHelper may download additional files to execute.CitationProofpoint TA505 Jan 2019CitationDeep Instinct TA505 Apr 2019 |
| Enterprise | T1136.001 | Local Account Sub-technique | ServHelper has created a new user named "supportaccount".CitationProofpoint TA505 Jan 2019 |
| Enterprise | T1082 | System Information Discovery | ServHelper will attempt to enumerate Windows version and system architecture.CitationProofpoint TA505 Jan 2019 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | ServHelper has commands for adding a remote desktop user and sending RDP traffic to the attacker through a reverse SSH tunnel.CitationProofpoint TA505 Jan 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | ServHelper may attempt to establish persistence via the |
| Enterprise | T1059.001 | PowerShell Sub-technique | ServHelper has the ability to execute a PowerShell script to get information from the infected host.CitationTrend Micro TA505 June 2019 |
| Enterprise | T1036.010 | Masquerade Account Name Sub-technique | ServHelper has created a new user named `supportaccount`.CitationProofpoint TA505 Jan 2019 |
| Enterprise | T1033 | System Owner/User Discovery | ServHelper will attempt to enumerate the username of the victim.CitationProofpoint TA505 Jan 2019 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | ServHelper contains a module for downloading and executing DLLs that leverages |
| Enterprise | T1070.004 | File Deletion Sub-technique | ServHelper has a module to delete itself from the infected machine.CitationProofpoint TA505 Jan 2019CitationDeep Instinct TA505 Apr 2019 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | ServHelper contains modules that will use schtasks to carry out malicious operations.CitationProofpoint TA505 Jan 2019 |
| Enterprise | T1098.007 | Additional Local or Domain Groups Sub-technique | ServHelper has added a user named "supportaccount" to the Remote Desktop Users and Administrators groups.CitationProofpoint TA505 Jan 2019 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 6c6758e8904b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Proofpoint TA505 Jan 2019
Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
Open source URL -
[2]
mitre-attack S0382Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.