Attackers Exploit SimpleHelp Flaw to Deploy New Malware

An unidentified threat actor has been observed exploiting a recently disclosed maximum-severity security flaw in SimpleHelp to deliver two previously unreported malware families, TaskWeaver and Djinn Stealer. The intrusion involves the exploitation of CVE-2026-48558, a critical authentication bypass vulnerability impacting the OpenID Connect (OIDC) flow. This vulnerability carries a CVSS score of 10.0, indicating the highest possible severity.

The attackers leverage this flaw to gain unauthorized access to systems managed by SimpleHelp, a remote support and IT management software. Once inside, they deploy the TaskWeaver malware, which appears to be a modular backdoor designed for reconnaissance and further system compromise. Following the deployment of TaskWeaver, the threat actors then introduce Djinn Stealer, a new information-stealing malware. Djinn Stealer is designed to exfiltrate sensitive data, including credentials, browser cookies, and cryptocurrency wallet information.

This campaign highlights the ongoing threat posed by unpatched vulnerabilities in widely used IT management software. The exploitation of CVE-2026-48558, which affects the OIDC authentication mechanism, allows attackers to bypass authentication controls without needing valid credentials. The dual deployment of TaskWeaver and Djinn Stealer suggests a sophisticated attack chain aimed at both establishing persistent access and extracting valuable data from compromised environments. Security researchers are actively analyzing the capabilities of both malware families and developing countermeasures.