Skip to content
Tech News
← Back to articles

Critical SimpleHelp flaw exploited to deploy new stealer malware

2026-06-29 | original
read original more articles
Why This Matters

The exploitation of the SimpleHelp vulnerability highlights the ongoing risks faced by remote management platforms, which are critical tools for IT professionals. The deployment of new stealer malware underscores the importance of timely patching and robust security measures to protect sensitive data and infrastructure. This incident serves as a reminder for organizations to scrutinize their RMM tools and stay vigilant against emerging threats.

Key Takeaways

Hackers are exploiting a recently disclosed critical vulnerability (CVE-2026-48558) in SimpleHelp to deploy Djinn Stealer, a previously undocumented cross-platform information stealer targeting Windows, macOS, and Linux.

The SimpleHelp platform is primarily used by managed service providers (MSPs), IT departments, helpdesks, and system administrators for remote monitoring and management (RMM).

Earlier this month, offensive security company Horizon3.ai published details about CVE-2026-48558, saying that the flaw could be leveraged to create highly privileged technician accounts without authentication.

Exploiting the vulnerability is possible on servers using the OpenID Connect (OIDC) authentication protocol. According to the researchers, around 1,000 SimpleHelp servers exposed online were running a vulnerable configuration at the time of the disclosure.

In an incident investigated by managed detection and response (MDR) provider Blackpoint, a threat actor exploited the critical authentication bypass vulnerability to establish an authenticated technician session on an internet-facing SimpleHelp server before deploying the TaskWeaver malware loader and the Djinn Stealer.

Based on the findings from the Adversary Pursuit Group (APG), the company's threat intelligence and research team, both pieces of malware are new and have not been documented before.

"The compromised RMM platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server," Blackpoint says.

The investigation revealed that TaskWeaver was downloaded in the form of an obfuscated JavaScript file named ‘jquery.js’ from a temporary Cloudflare domain.

TaskWeaver is a generic malware loader that fingerprints the compromised device and communicates with the command-and-control (C2) infrastructure to receive new JavaScript modules for execution.

The loader then installs Djinn Stealer to collect in a single pass all the sensitive data it can find on a developer's machine, be it Windows, macOS, or Linux.

... continue reading

Explore topics: simplehelp cve-2026-48558 djinn stealer horizon3.ai openid connect
Related:
SimpleHelp bug lets hackers create rogue remote support accounts
Hackers compromise Axios npm package to drop cross-platform malware
Lazy JWT Key Rotation in .NET: Redis-Powered JWKS That Just Works
What Is OAuth?

© 2026 GoKawiil

About | Editorial Policy | Contact