TeslaGun Primed to Blast a New Wave of Backdoor Cyberattacks

What under-the-hood details of newly discovered attack control panel tell us about how the Evil Corp threat group manages its ServHelper backdoor malware campaigns.

A newly discovered cyberattack panel dubbed TeslaGun has been discovered, used by Evil Corp to run ServHelper backdoor campaigns.
Data gleaned from an analysis by the Prodraft Threat Intelligence (PTI) team shows the Evil Corp ransomware gang (aka TA505 or UNC2165, along with half a dozen other colorful tracking names) has used TeslaGun to carry out mass phishing campaigns and targeted campaigns against more than 8,000 different organizations and individuals. The majority of targets have been in the US, which accounted for more than 3,600 of the victims, with a scattered international distribution outside of that.
There has been a continued expansion of the ServHelper backdoor malware, a long-running and constantly updated package thats been kicking around since at least 2019. It began picking up steam once again in the second half of 2021, according to a
report from Cisco Talos
, spurred by mechanisms like fake installers and associated installer malware like Raccoon and Amadey.
Most recently,
threat intelligence from Trellix
last month reported that the ServHelper backdoor has recently been found dropping hidden cryptominers on systems.
The PTI report
, issued Tuesday, delves into the technical specifics behind TeslaGun, and offers some details and tips that can help enterprises move forward with important countermeasures to some of the prevailing backdoor cyberattack trends today.
Backdoor attacks that circumvent authentication mechanisms and quietly establish persistence on enterprise systems are some of the most disconcerting for cybersecurity defenders. Thats because these attacks are notoriously difficult to detect or prevent with standard security controls.
PTI researchers said they observed a wide range of different victim profiles and campaigns during their investigations, supporting previous research that showed ServHelper attacks are trawling for victims in a variety of simultaneous campaigns. This is a trademark attack pattern of casting a wide net for opportunistic hits.
A single instance of the TeslaGun control panel contains multiple campaign records representing different delivery methods and attack data, the report explained. Newer versions of the malware encode these different campaigns as campaign IDs.
At the same time, TeslaGun contains plenty of evidence that attackers are profiling victims, taking copious notes at some points, and conducting targeted backdoor attacks.
The PTI team observed that the main dashboard of the TeslaGun panel includes comments attached to victim records. These records show victim device data such as CPU, GPU, RAM size and internet connection speed, the report said, explaining this indicates targeting for cryptomining opportunities. On the other hand, according to victim comments, it is clear that TA505 is actively looking for online banking or retail users, including crypto-wallets and e-commerce accounts.
The report said that most victims appear to operate in the financial sector but that this targeting is not exclusive.
The way that the control panels user options are set up offered researchers a lot of information about the groups workflow and commercial strategy, the report said. For example, some filtering options were labeled Sell and Sell 2 with victims in these groups having remote desktop protocols (RDP) temporarily disabled through the panel.
This probably means that TA505 can not immediately earn a profit from exploiting those particular victims, according to the report. Instead of letting them go, the group has tagged those victim’s RDP connections for the resale to other cybercriminals.
The PTI report said that based on the researchers observations, the groups internal structure was surprisingly disorganized but that its members still carefully monitor their victims and can demonstrate remarkable patience, especially with high-value victims in the finance sector.
The analysis further notes that the strength of the group is its agility, which makes it hard to predict activity and detect over time.
Nevertheless, the backdoor attackers arent perfect, and this can offer some clues for cybersecurity pros looking to thwart their efforts.
The group does exhibit some telltale weaknesses, however. While TA505 can maintain hidden connections on victims’ devices for months, its members are often unusually noisy, the report said. After installing ServHelper, TA505 threat actors may manually connect to victim devices through RDP tunneling. Security technologies capable of detecting these tunnels may prove vital for catching and mitigating TA505s backdoor attacks.
The Russian-linked (and sanctioned) Evil Corp has been one of the most prolific groups of the last five years. According to the
US government
, the group is the brain trust behind the financial Trojan Dridex and has associations with campaigns using ransomware variants like WastedLocker. It continues to hone a raft of weapons for its arsenal as well; last week, it came to light that its associated with
Raspberry Robin infections
.
PTI uses TA505 to track the threat, and
consensus is solid
but not universal that TA505 and Evil Corp are the same group. A report last month from the
Health Sector Cybersecurity Coordination Center (HC3)
said it does not currently support that conclusion.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
TeslaGun Primed to Blast a New Wave of Backdoor Cyberattacks