MalwareExploits 1 CVE

Djinn Stealer

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2026-48558SimpleHelp OIDC Authentication BypassExploited in the wild

Hackers are exploiting a recently disclosed critical vulnerability (CVE-2026-48558) in SimpleHelp to deploy Djinn Stealer... Horizon3.ai published details about CVE-2026-48558, saying that the flaw could be leveraged to create highly privileged technician accounts without authentication. Exploiting the vulnerability is possible on servers using the OpenID Connect (OIDC) authentication protocol. | Hackers are exploiting a recently disclosed critical vulnerability (CVE-2026-48558) in SimpleHelp to deploy Djinn Stealer, a previously undocumented cross-platform information stealer targeting Windows, macOS, and Linux.

via bleeping computerbleepingcomputer.com

MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1078Valid AccountsEvidence1

The compromised RMM platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server

Persistence

1 technique

T1078Valid AccountsEvidence1

The compromised RMM platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server

Privilege Escalation

2 techniques

T1068Exploitation for Privilege EscalationEvidence1

a threat actor exploited the critical authentication bypass vulnerability to establish an authenticated technician session on an internet-facing SimpleHelp server

T1078Valid AccountsEvidence1

The compromised RMM platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server

Stealth

1 technique

T1078Valid AccountsEvidence1

The compromised RMM platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server

Credential Access

3 techniques

T1528Steal Application Access TokenEvidence1

Local configuration files, authentication tokens, session data, and Model Context Protocol (MCP) configuration for AI coding assistants

T1555Credentials from Password StoresEvidence1

Djinn Stealer... targets a broad collection of developer and infrastructure credentials... Docker credentials, Helm... package manager credentials

T1649Steal or Forge Authentication CertificatesEvidence1

Djinn Stealer... targets a broad collection of developer and infrastructure credentials: Cloud provider credentials, identity services... GitHub CLI, SSH keys... PGP keys

Discovery

1 technique

T1057Process DiscoveryEvidence1

On Linux, the malware also attempts to read the /proc/<pid>/cmdline and /proc/<pid>/environ virtual files that contain information about a running process

Collection

2 techniques

T1005Data from Local SystemEvidence1

The loader then installs Djinn Stealer to collect in a single pass all the sensitive data it can find on a developer's machine

T1560Archive Collected DataEvidence1

Before exfiltrating the sensitive data to the C2 server, Djinn Stealer packs it into a TAR archive, then compresses it with GZIP

Command and Control

1 technique

T1105Ingress Tool TransferEvidence1

The compromised RMM platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

Before exfiltrating the sensitive data to the C2 server, Djinn Stealer packs it into a TAR archive

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

bleeping computerNews

Jun 29, 2026

Critical SimpleHelp flaw exploited to deploy new stealer malware

A previously undocumented cross-platform information stealer that targets Windows, macOS, and Linux. It steals developer and infrastructure credentials, AI tooling tokens and MCP configuration, cloud and package manager credentials, cryptocurrency wallet data, browser data, shell history, SSH configuration, PGP keys, database client configuration, and other user files. On Linux it also reads /proc/<pid>/cmdline and /proc/<pid>/environ for secrets, then archives, compresses, encrypts, and exfiltrates the collected data.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.